8c9d9150efa35278afcb23f2af4c4babcc4dd55acd9e839bed4c04cb5a8d9c3f
|
struppigel
|
advanced
|
|
PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.
|
1
|
|
0
|
01 Feb 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
—
|
|
0
|
27 Jan 2026
|
1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6
|
struppigel
|
easy
|
|
This file has an unusual archive format. Figure out how to extract it. Then debloat the sample and determine how [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/) is decrypted or decoded. After that continue analysis of [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/).
|
—
|
|
0
|
27 Jan 2026
|
361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
|
struppigel
|
medium
|
|
LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer **Python Software Foundation**
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)
|
—
|
|
0
|
23 Jan 2026
|
56f5623daa470bee190ae0ecd961be8e6df71c8da1ccf7b268fe876b84c183d9
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
3
|
|
3
|
20 Jan 2026
|
29325e23a684f782db14a1bf0dc56c65228e666d1f561808413a735000de3515
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
2
|
|
0
|
20 Jan 2026
|
45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76
|
struppigel
|
medium
|
|
If you want to analyze the full infection chain, start with [the first stage here](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/)
Your task is to extract the configuration.
|
—
|
|
0
|
16 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
easy
|
|
Write a Ghidra script to defeat the code obfuscation int his sample.
|
1
|
|
0
|
13 Jan 2026
|
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a
|
larsborn
|
medium
|
|
Identify and reverse engineer the API hashing function. Emulate it with an appropriate string list to confirm your findings.
|
1
|
|
0
|
13 Jan 2026
|
4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619
|
larsborn
|
easy
|
|
Identify and reverse engineer the string deobfuscation function. Bonus points if you can write a Ghidra script to emulate it.
|
1
|
|
0
|
13 Jan 2026
|
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a
|
larsborn
|
medium
|
|
Identify and reverse engineer the string deobfuscation function in this sample. Write a binary refinery pipeline to emulate it. Bonus points if you manage to write a Ghidra script.
|
1
|
|
0
|
13 Jan 2026
|
67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
|
larsborn
|
medium
|
|
Find and reverse engineer the string deobfuscation function in the sample. Create a binary refinery pipeline to decrypt the strings. Bonus points if you manage to write a Ghidra script to decrypt them all.
|
1
|
|
0
|
13 Jan 2026
|
1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f
|
struppigel
|
advanced
|
|
Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool.
|
1
|
|
0
|
13 Jan 2026
|
2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
|
struppigel
|
medium
|
|
Create a C2 extractor using a Python script, binary refinery pipeline or CyberChef recipie
|
—
|
|
0
|
11 Jan 2026
|
ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
|
struppigel
|
medium
|
|
This is packed by CypherIt crypter. Unpack the malware.
Bonus: Extract the config of the payload.
|
—
|
|
0
|
11 Jan 2026
|
e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7
|
struppigel
|
medium
|
|
Decompile the main malware code and figure out where it downloads the next stage. If the download URL is not available anymore, the deaddrop URL will suffice.
This ZIP archive is downloaded by this [InnoSetup sample](https://samplepedia.cc/sample/7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d/54/). You may want to start analyzing there.
|
1
|
|
0
|
09 Jan 2026
|
7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d
|
struppigel
|
medium
|
|
Extract the InnoSetup script and decode the strings. Figure out the download URL statically.
Afterwards continue with [the next stage](https://samplepedia.cc/sample/e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7/55/)
|
1
|
|
0
|
09 Jan 2026
|