Malware Decompiling and Unpacking (Loda Keylogger)

malware

(DamaneDz) #1

Hello guys, Hope everyone is okay :slight_smile:

It’s been a while since my last post here

So I have something simple to share with you

Malware Decompiling and Unpacking (Loda Keylogger)

The sample:

https://www.hybrid-analysis.com/sample/9300e6bbdb4bd12e1a1f58a5a50759811d39437e3cbe2769164d5d04e199656c


#2

For those of us out there who prefer the written equivalent, could I suggest a short summary about the details you have included in the video?


#3
  1. Malicious file is a string-obfuscated AutoIT script,
  2. Finds the decoding function that decodes the obfuscated strings,
  3. Writes his own AutoIT script to call the string decoder by passing in the obfuscated string as a command line parameter,
  4. Uses PHP to read in the malicious AutoIT script,
  5. Regexes lines which have the string decoder and replaces them with the original unobfuscated string by calling his AutoIT string decoder,
  6. File is string-unobfuscated and exposes its functionality.

#4

Thanks for the video !
Will you make a video of the analysis of the decoded malware ?


(DamaneDz) #5

Actually I lost the sample and I have to aproof my account on hybrid-analysis.com to download it again.


(system) #6

This topic was automatically closed after 30 days. New replies are no longer allowed.