Python

Analysis of Noblis In-dev Ransomware

Analysis of Noblis In-dev Ransomware

Noblis is in-development ransomware which is built in Python and packed by PyInstaller. You can refer to my previous blog to learn how to identify and reverse Python-built executables. We have the following sample: Hash : 3BEEE8D7F55CD8298FCB009AA6EF6AAE [App.Any] The sample is UPX packed; after unpacking we get the following sample. Hash : A886E7FAB4A2F1B1B048C217B4969762 The binary has many Python reference strings and a zlib archive appended to it as an overlay. You can use the PyExtractor tool to extract the Python code from the binary. ...

December 13, 2017 · 4 min · 753 words · Melted in Hex
Reverse Engineering of Python built executables

Reverse Engineering of Python built executables

PyInstaller and py2exe bundle a Python application and all its dependencies into an executable file. The user can run the EXE file without installing a Python interpreter or any modules. As we all know, Python is an easy and effortless scripting language, so malware authors prefer Python for writing malware and convert it into an exe file using py2exe or PyInstaller. In this blog, I am going to explain how to reverse those binaries and extract the Python source code. ...

August 1, 2017 · 5 min · 986 words · Melted in Hex