Skip to content

gavinoxley4-ops/python_malware_reverse_engineer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Reverse Engineering Malware Lab

This is a little reverse-engineering lab for a penetration testing class I did to practice pulling apart a malicious file without actually running anything dangerous The executable is just a Python script I wrote with PyInstaller, but I think it behaves enough like real malware to make the analysis a good simulation.

Essentially, I created the script to work like actual malware and then analyzed what it was doing

Features of the sample

  • XOR-encoded “C2” string
  • Base64-encoded payload
  • Fake persistence (drops a text file)
  • A tiny beacon loop
  • Packed with PyInstaller so it looks like malware in a PE viewer
  • Benign file

I treated the compiled EXE like it was actually malware and investigated it w these tools:

Static Analysis

  • Ran strings to see what popped out
  • Looked at the PE structure in PE-bear
  • Used pyinstxtractor to rip apart the PyInstaller bundle
  • Loaded the unpacked blob into Ghidra and walked through the flow
  • Reversed the XOR routine to recover the hidden C2 URL
  • Decoded the Base64 payload with cyberchef

Dynamic Analysis

  • Ran the program in a "safe" environment (my laptop)
  • Used ProcMon to watch file writes + see if there was any persistence
  • Watched the beacon loop do its thing
  • Confirmed no real network traffic (it doesn’t actually reach out since it's benign)

About

a fake malware script written in Python to observe beaconing activity, encoded strings and payloads, and other malware activity and analyze how the program obfuscates itself

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages