Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1

Open Analysis Live! We use IDA Pro and Python scripts to removed obfuscated code and statically unpack malware. This is Part 1 of a two part subscriber request asking us to determine why this malware would not run in their sandbox. In Part 1 we use Python scripts to unpack the sample so that we can further analyze it. ----- OALABS DISCORD https://discord.gg/6h5Bh5AMDU OALABS PATREON https://www.patreon.com/oalabs OALABS TIP JAR https://ko-fi.com/oalabs OALABS GITHUB https://github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING https://www.unpac.me/#/ ----- In Part 2 we analyze the unpacked payload and determine why it wouldn't run in the sandbox. Watch it here: https://www.youtube.com/watch?v=8yHLqZ3k1Xs Packed sample: Sha256: 16540597E03AC70BEA055AA72BF83A7DC3276CF6A64CD6CAFDB09E05EBCC198B https://malshare.com/sample.php?action=detail&hash=f834f898969cd65da702f4b4e3d83dd0 Junk hide script: https://gist.github.com/herrcore/ec0a2ff0a173cc273bde02d2f6ad00ca Memdump script: https://gist.github.com/herrcore/d023f3ab01b2091af3667d8d3f66e6db Blob 2 (encrypted): https://malshare.com/sample.php?action=detail&hash=32aecddc3d01f81d3f803501fc2a07ff Blob 2 (decrypted) *payload*: https://malshare.com/sample.php?action=detail&hash=002fe8e54c6dcf7160843282e6052aca Alex's IDA Python book: https://leanpub.com/IDAPython-Book Feedback, questions, and suggestions are always welcome : ) Sergei https://twitter.com/herrcore Sean https://twitter.com/seanmw As always check out our tools, tutorials, and more content over at http://www.openanalysis.net