Submit Release
News Search

There were 1,855 press releases posted in the last 24 hours and 400,033 in the last 365 days.

GuLoader: Deobfuscating and Automating Malware Analysis

DUBAI, DUBAI, UAE, May 18, 2023/EINPresswire.com/ -- ANY.RUN, a cybersecurity company developing an interactive sandbox analytical platform for malware researchers, presents the GuLoader Malware Analysis.

Here are some highlights from the GuLoader malware and deobfuscating its code using the Ghidra scripting engine:

๐–๐ก๐š๐ญ ๐ข๐ฌ ๐†๐ฎ๐‹๐จ๐š๐๐ž๐ซ

GuLoader is a widely used malware loader known for its complex obfuscation techniques that make it difficult to analyze and detect.

๐‚๐ฅ๐ž๐š๐ซ๐ข๐ง๐  ๐ญ๐ก๐ž ๐ฐ๐š๐ฒ: ๐–๐ก๐ฒ ๐ƒ๐ž๐จ๐›๐Ÿ๐ฎ๐ฌ๐œ๐š๐ญ๐ข๐ง๐  ๐‚๐จ๐๐ž ๐ข๐ฌ ๐‚๐ซ๐ฎ๐œ๐ข๐š๐ฅ ๐๐ž๐Ÿ๐จ๐ซ๐ž ๐€๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ?

Deobfuscating code is an essential step in the process of malware analysis. When malware authors create their programs, they often use various obfuscation techniques to make it more difficult to understand and analyze their code. By deobfuscating the code, analysts can gain a better understanding of the malwareโ€™s functionality, identify its capabilities, and develop effective mitigation strategies.

๐ƒ๐ž๐จ๐›๐Ÿ๐ฎ๐ฌ๐œ๐š๐ญ๐ข๐ง๐  ๐š๐ง๐ ๐Ž๐ฉ๐ญ๐ข๐ฆ๐ข๐ณ๐ข๐ง๐ : ๐“๐ž๐œ๐ก๐ง๐ข๐ช๐ฎ๐ž๐ฌ ๐š๐ง๐ ๐’๐ญ๐ซ๐š๐ญ๐ž๐ ๐ข๐ž๐ฌ

ANY.RUN identified various obfuscation techniques often found in GuLoader, including:
โ€ข Opaque predicates
โ€ข Obfuscated arithmetic expressions
โ€ข And junk instructions.

Now, ANY.RUN has focused on developing techniques and strategies to overcome these obfuscation methods and make the code easier to analyze.

Here are some of them:
โ€ข โ€œNoppingโ€ all XMM instructions
โ€ข Leaving Unconditional JMP Instructions Untouched
โ€ข โ€œNoppingโ€ Junk Instructions
โ€ข Defeating fake comparison instructions
โ€ข Defeating fake PUSHAD instructions
โ€ข Defeating fake PUSH instructions
โ€ข Calculating Arithmetic Expressions

๐€๐ฎ๐ญ๐จ๐ฆ๐š๐ญ๐ข๐ง๐  ๐Œ๐š๐ฅ๐ฐ๐š๐ซ๐ž ๐€๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐ฐ๐ข๐ญ๐ก ๐š ๐†๐ก๐ข๐๐ซ๐š ๐’๐œ๐ซ๐ข๐ฉ๐ญ

ANY.RUN has developed a script that initiates from the chosen instruction, tracks calls and conditional jumps, simplifies, deobfuscates, and disassembles the resulting code. The script avoids jumping over calls with a specific operand value because not all calls result in returns.

Itโ€™s important to note that while this approach was specifically tailored for deobfuscating GuLoader, the same general techniques could be applied to other malware samples as well. However, bear in mind that each malware sample might have unique obfuscation techniques, necessitating the development of specific optimization strategies.


ANY.RUN has explored one potential approach to deobfuscating GuLoader, which entails identifying common obfuscation patterns and neutralizing them using various techniques.

Read more with the code & scripts examples in the article at ANY.RUN.

Vlada Belousova
ANYRUN FZCO
2027889264
email us here

You just read:

GuLoader: Deobfuscating and Automating Malware Analysis

Distribution channels: Business & Economy, Electronics Industry, IT Industry, Science, Technology


EIN Presswire's priority is source transparency. We do not allow opaque clients, and our editors try to be careful about weeding out false and misleading content. As a user, if you see something we have missed, please do bring it to our attention. Your help is welcome. EIN Presswire, Everyone's Internet News Presswireโ„ข, tries to define some of the boundaries that are reasonable in today's world. Please see our Editorial Guidelines for more information.

We use cookies for analytics, personalized content and ads. By continuing to browse this site, you agree to this use. Learn more