Vulnerability Analysis

Hill Saturday Malware Analysis : Open Dir -> Obfuscated Python -> DONUT Launcher -> XWorm

Just some quick malware analysis on a free Saturday. I was just chilling in the morning, reading twitter, and this post from Justin Elze caught my eye:

It was perfect because I was indeed bored 😉

It was an opendir with a few interesting files:

pdf.bat                 BAT-File    3,179 Bytes         Tue, 10 Sep 2024 15:01:49 GMT
python-3.12.5-amd64.exe EXE-File    26,508,648 Bytes    Wed, 28 Aug 2024 18:05:07 GMT
sg.py                   PY-File     4,082,946 Bytes     Wed, 04 Sep 2024 01:22:18 GMT
tx.py                   PY-File     4,082,936 Bytes     Tue, 03 Sep 2024 12:04:59 GMT
update.cmd              CMD-File    168 Bytes           Fri, 06 Sep 2024 16:37:29 GMT

pdf.bat was just a launcher for update.cmd with some interesting social engineering aspect, it also established persistence by adding update.cmd to startup files. update.cmd simply executed sg.py and tx.py with python.

I downloaded entire folder and proceeded to analyze it. After opening sg.py in the text editor, it turned out it’s not a standard python code but a compiled python bytecode.

Ok, shouldn’t be a big issue, there is this great online decompiler that I highly recommend there’s also if you like something that runs offline.

After dumping these files into pylingual I saw the issue. Yes it managed to decompile them but the code was quite obviously obfuscated.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

3 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

3 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

4 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

4 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

4 weeks ago