There are plenty of tutorials out there on how to do this process, I’m just writing it here for my own reference so I can come to a single place to find these notes.

Windows exe

Use this:

Linux ELF

$ pip install pydecipher

Then take your executable and do:

$ pydecipher path_to_elf

If you get no output, try 7zip to extract the ELF sections for us:

$ 7z x path_to_elf

This may produce several files, for the different sections and hopefully one called pydata. We can now try pydecipher on that:

$ pydecipher pydata

Now .pyc files are extracted and decompiled for us, ready for analysis.



Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them: