A record of a reverse analysis of a virus that drives life
(I was stunned when I received the virus sample
After a day of tossing, after the guidance of the boss, finally proposed the source code
This is the sample running situation:
1. After experience and trial, I found that it can be unpacked with py
Download pyinstxtractor.py and Easy Python Decompiler v1.3.2
https://sourceforge.net/projects/pyinstallerextractor/
https://github.com/aliansi/Easy-Python-Decompiler-v1.3.2
2. Try to unpack the sample
Statement: python3 pyinstxtractor.py Sample name
Prompt failure, refer to the last part of this article: https://blog.csdn.net/m0_37552052/article/details/88093427
Use Editor to view the sample, look for MEI and
find that there are a lot of MEIs and there is a lot of garbage data that is confused, delete the data after MEI+88, save
and unpack, success
3. Check the unpacked file to
find no suffix File to try (https://www.cnblogs.com/pcat/p/8990482.html)
Then put it in the Editor to view, add 8 bytes of pyc header (magic+time stamp), magic can refer to the first 4 bytes of struct in the same folder (03F30D0A), and change the file suffix to .pyc
and then use Easy Python Decompiler v1.3.2, solve a file.
Open the file and find that part of the code is encrypted. Refer to the article (https://www.cnblogs.com/qiyeboy/p/11524806.html) to
re-edit the code and output to the file to
view the output file , The decryption is successful, and the malicious domain name can be found by searching http, such as: