Login

**baziroll** · 08-18-2017 , 12:49 AM

Published on Aug 16, 2017
The strings of this trojan-spy are obfuscated. We figure out that this is a monoalphabethic substitution cipher and patch the trojan to retrieve the substitution alphabet. Then we write a deobfuscation script with Python to make sense of the strings.

Follow me on Twitter: @struppigel
And MalwareBlocker: @Malware_Blocker

Unpacking Loyeetro: https://www.youtube.com/watch?v=iXY2a...
Monitoring Loyeetro (MalwareBlocker): https://www.youtube.com/watch?v=J3Whs...

Sample: https://www.hybrid-analysis.com/sampl...
x64dbg: https://x64dbg.com/
Notepad++: https://notepad-plus-plus.org/downloa...
Python: https://www.python.org/downloads/
Sysinternals Strings: https://docs.microsoft.com/en-us/sysi...

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Malware adds Any.Run sandbox detection to evade analysis	*tarekma7*	2	3,803	07-14-2020 , 11:01 PM Last Post: uyar64
	Trojan-Spy Analysis with Karsten	baziroll	0	2,215	08-11-2017 , 12:50 AM Last Post: baziroll
	Malware Analysis - Unpacking RunPE Loyeetro Trojan	baziroll	0	2,501	08-09-2017 , 02:19 AM Last Post: baziroll
	Malware Analysis - PortexAnalyzer Repair and Dump PE Files	baziroll	0	2,742	08-07-2017 , 11:51 AM Last Post: baziroll
	Malware Analysis - Creating a Decrypter for Alpha Ransomware Pt. 3	baziroll	0	2,498	08-02-2017 , 12:41 AM Last Post: baziroll