[Mal Series #12] Qakbot Decryption with Ghidra Script

Most of the malware nowadays are using custom string decoding algorithm to hide the juicy strings that provide key information of sample. It will be great if we are able to decode all the string and add them in the code comment so that we can analyze is side-by-side and understand the malware better. As for this, I had wrote a Ghidra decoding script in Python for Qakbot.

Find the decryption algorithm

Based on the experience, malware will always declare certain function many times for its decoding routine.

After poking around with it, function FUN_10010eff seems have something juicy since it loads some hex number as parameter and it repeats many time in same order. Let’s check into it!

Juicy function !! 🕵️‍♂️

Understanding the algorithm

At first glance, the function is perform some decoding routine (Based on the XOR, for/while loop and some constant byte array found within the function).

When investigate further, it does really XOR something (XOR_1 & XOR_2).

Some length calculation, stop if (XOR_1 ^ XOR_2 == 0)

At the end of the function, it really does some XOR operation between the XOR_1 and XOR_2.

As for how does the decoding functions works, I had annotated the decompiled code for better understanding.

The real XOR function routine

Write the decryption script

Wrote a decoding script based on the highlighted decompiled code. Full script here.

Writing some decoding script 👨‍💻

After correctly implementing the decoding script, its time to merge it with the Ghidra API function so that those decoded strings can print out as comment in the assembly code page.

You could check out the references below for the basic Ghidra API function implementation and official Ghidra API webpage.

Output

Here is the output of the decoding script. Now, you can see the decoded strings in the comment sections of the code. This will be very helpful for analyst to understand the sample much better ✌.

Suspicious placeholder that contains victims host name, user name and password
Looks like the sample performing some injection by using WIN NT API

Unfortunately the Python Ghidra scripting only supports Python 2 only as it mainly depends on Jython (Python to Java). However, we can use ghidra_bridge to script in Python 3. If you are Java fans, you can directly use Java as your scripting language in Ghidra.

Hopefully it does help to those who are looking to Ghidra scripting. Cheers!

References

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store