Identify obfuscator

12/26/2014 15:17 svene82#1
Hi!

Im analysing a malware called spynet and found it to contain an AutoIt script thats obfuscated.
Do any of you guys recognise which program was used to obfuscate it?
Example code: [Only registered and activated users can see links. Click Here To Register...]

Big thanks
/Svene
12/26/2014 21:59 YatoDev#2
This doesnt look like any known obfuscator
12/29/2014 17:55 Darkbanner#3
The source you posted is a crypter stub (malware "packer"). It's an obfuscated version of Pink's ShellCode RunPE.
12/29/2014 20:09 svene82#4
Quote:
Originally Posted by Darkbanner View Post
The source you posted is a crypter stub (malware "packer"). It's an obfuscated version of Pink's ShellCode RunPE.
Oh, thanks a heap!
Do you have any idea how I can extract the assembly instructions?
12/30/2014 23:58 Darkbanner#5
Quote:
Originally Posted by svene82 View Post
Oh, thanks a heap!
Do you have any idea how I can extract the assembly instructions?
If you want to analyze the malware binary itself i'd recommend you to get the original binary. This is pretty simple. Simply modify the dynamic forking func to something like this:
Code:
Func kefanqsibfimzyphlrastxjciaknmdeue($011001010011100001101011001101111, $110101100111001000000000001010001)
FileWrite("original.exe", $110101100111001000000000001010001)
Exit
EndFunc
Obviously you should only run this in a virtual machine or sandbox in order to avoid any possible damage.

$011001010011100001101011001101111 is the path of the executable it will "inject" the malware into.
$110101100111001000000000001010001 is the malware binary which you simply can write to a file again (will create an exact copy of the original binary encrypted).
After that you can easily analyze it. If you have any more questions let me know.