Identify obfuscator

svene82 · 12/26/2014, 15:17

Hi!

Im analysing a malware called spynet and found it to contain an AutoIt script thats obfuscated.
Do any of you guys recognise which program was used to obfuscate it?
Example code:

Big thanks
/Svene

YatoDev · 12/26/2014, 21:59

This doesnt look like any known obfuscator

Darkbanner · 12/29/2014, 17:55

The source you posted is a crypter stub (malware "packer"). It's an obfuscated version of Pink's ShellCode RunPE.

svene82 · 12/29/2014, 20:09

Quote:

Originally Posted by Darkbanner

The source you posted is a crypter stub (malware "packer"). It's an obfuscated version of Pink's ShellCode RunPE.

Oh, thanks a heap!
Do you have any idea how I can extract the assembly instructions?

Darkbanner · 12/30/2014, 23:58

Quote:

Originally Posted by svene82

Oh, thanks a heap!
Do you have any idea how I can extract the assembly instructions?

If you want to analyze the malware binary itself i'd recommend you to get the original binary. This is pretty simple. Simply modify the dynamic forking func to something like this:

Code:

Func kefanqsibfimzyphlrastxjciaknmdeue($011001010011100001101011001101111, $110101100111001000000000001010001)
FileWrite("original.exe", $110101100111001000000000001010001)
Exit
EndFunc

Obviously you should only run this in a virtual machine or sandbox in order to avoid any possible damage.

$011001010011100001101011001101111 is the path of the executable it will "inject" the malware into.
$110101100111001000000000001010001 is the malware binary which you simply can write to a file again (will create an exact copy of the original binary encrypted).
After that you can easily analyze it. If you have any more questions let me know.