361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd

Metadata

SHA256: 361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
Difficulty: medium
Platform: Windows
Tags: packed python smokedham
Likes: 1
Views: 173
Submitter: struppigel

Analysis

Goal

LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer Python Software Foundation
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)

Description

This sample is a great beginner sample for training binary refinery.
I did not test if it can decompile the code, because I used an external tool for that, but it can do all of the following layers in one pipeline without any complicated tricks.
Tip: If you have trouble with aes, check for an alternative binref unit.

Recommended Tools

binary refinery cyberchef

Solutions

SmokedHam - Malware Analysis by oxygen

Sample