161f2a6ecf64dcbbc1616d536cb2ed2e53afc5a4f5deca810b0f55cc82a6b447
|
malwarecakefactory
|
medium
|
|
for RE learning
|
1
|
|
1
|
22 Feb 2026
|
361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
|
struppigel
|
medium
|
|
LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer **Python Software Foundation**
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)
|
1
|
|
1
|
23 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
291df8186e62df74b8fcf2c361c6913b9b73e3e864dde58eb63d5c3159a4c32d
|
malcat
|
medium
|
|
Use emulation and/or static analysis to get to the final malware and extract its configuration
|
1
|
|
1
|
04 Jan 2026
|
482a8b7ead1e07ac728e1e2b9bcf90a26af9b98b15969a3786834d6e81d393cd
|
struppigel
|
easy
|
|
What's the password for the screenlocker? Extract the code.
|
1
|
|
1
|
26 Dec 2025
|
56f5623daa470bee190ae0ecd961be8e6df71c8da1ccf7b268fe876b84c183d9
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
3
|
|
3
|
20 Jan 2026
|
55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
|
0xdeluks
|
easy
|
|
Deobfuscate the strings and identify the functionality of all commands.
|
3
|
|
3
|
05 Jan 2026
|
478d992c999a0e93ada1c9aa10644e3abdc207d407492c5bc2710986de4d42be
|
struppigel
|
easy
|
|
Where does this office document get the next stage and how?
When was the document created?
|
—
|
|
0
|
25 Apr 2026
|
060ed0ec27a0a4ad7b55425ed56d8ef0c55aa61b499d4884d1679f18d518ddf3
|
struppigel
|
medium
|
|
Find the two webhooks of this stealer and determine the persistence mechanisms.
|
—
|
|
0
|
23 Mar 2026
|
57e497bf62138b926d4adab395e0ab64f9f1b606ff9219e0c004fcc5a8348f7a
|
struppigel
|
medium
|
|
Find the code that is responsible for loading the next stage. Figure out the download URL for the next stage with emulation.
|
—
|
|
0
|
17 Mar 2026
|
49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8
|
struppigel
|
advanced
|
|
Extract the main.js, decompile and deobfuscate it so far that you can see the webhook
|
1
|
|
0
|
07 Mar 2026
|
b0e365c603013751085946ff0500f7d8c0e3c106d3b02c368c2f267279660a6d
|
struppigel
|
medium
|
|
Write a configuration extractor for this loader
|
1
|
|
0
|
28 Feb 2026
|
95a636c2b3af0bc69cc05f7b32281ff17c58cbe637bec5f8918f7514a5f37e09
|
struppigel
|
easy
|
|
Check out the LNK in this archive. It downloads malware. How does it achieve that?
|
1
|
|
0
|
21 Feb 2026
|
465dc7a1068d0c7d31b4ffb0a013a59ddd0320dde4389748eed99f41ee0f51ae
|
struppigel
|
medium
|
|
How does this rootkit hide loaded modules of a process? Locate the function that is responsible for that. What's necessary to trigger the module hiding?
|
—
|
|
0
|
21 Feb 2026
|
dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659
|
struppigel
|
medium
|
|
Unpack the sample and obtain the config
|
3
|
|
0
|
04 Feb 2026
|
09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74
|
struppigel
|
advanced
|
|
PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.
|
1
|
|
0
|
01 Feb 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
1
|
|
0
|
27 Jan 2026
|