GuLoader: Deobfuscating and Automating Malware Analysis
DUBAI, DUBAI, UAE, May 18, 2023/EINPresswire.com/ -- ANY.RUN, a cybersecurity company developing an interactive sandbox analytical platform for malware researchers, presents the GuLoader Malware Analysis.
Here are some highlights from the GuLoader malware and deobfuscating its code using the Ghidra scripting engine:
๐๐ก๐๐ญ ๐ข๐ฌ ๐๐ฎ๐๐จ๐๐๐๐ซ
GuLoader is a widely used malware loader known for its complex obfuscation techniques that make it difficult to analyze and detect.
๐๐ฅ๐๐๐ซ๐ข๐ง๐ ๐ญ๐ก๐ ๐ฐ๐๐ฒ: ๐๐ก๐ฒ ๐๐๐จ๐๐๐ฎ๐ฌ๐๐๐ญ๐ข๐ง๐ ๐๐จ๐๐ ๐ข๐ฌ ๐๐ซ๐ฎ๐๐ข๐๐ฅ ๐๐๐๐จ๐ซ๐ ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ?
Deobfuscating code is an essential step in the process of malware analysis. When malware authors create their programs, they often use various obfuscation techniques to make it more difficult to understand and analyze their code. By deobfuscating the code, analysts can gain a better understanding of the malwareโs functionality, identify its capabilities, and develop effective mitigation strategies.
๐๐๐จ๐๐๐ฎ๐ฌ๐๐๐ญ๐ข๐ง๐ ๐๐ง๐ ๐๐ฉ๐ญ๐ข๐ฆ๐ข๐ณ๐ข๐ง๐ : ๐๐๐๐ก๐ง๐ข๐ช๐ฎ๐๐ฌ ๐๐ง๐ ๐๐ญ๐ซ๐๐ญ๐๐ ๐ข๐๐ฌ
ANY.RUN identified various obfuscation techniques often found in GuLoader, including:
โข Opaque predicates
โข Obfuscated arithmetic expressions
โข And junk instructions.
Now, ANY.RUN has focused on developing techniques and strategies to overcome these obfuscation methods and make the code easier to analyze.
Here are some of them:
โข โNoppingโ all XMM instructions
โข Leaving Unconditional JMP Instructions Untouched
โข โNoppingโ Junk Instructions
โข Defeating fake comparison instructions
โข Defeating fake PUSHAD instructions
โข Defeating fake PUSH instructions
โข Calculating Arithmetic Expressions
๐๐ฎ๐ญ๐จ๐ฆ๐๐ญ๐ข๐ง๐ ๐๐๐ฅ๐ฐ๐๐ซ๐ ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐ฐ๐ข๐ญ๐ก ๐ ๐๐ก๐ข๐๐ซ๐ ๐๐๐ซ๐ข๐ฉ๐ญ
ANY.RUN has developed a script that initiates from the chosen instruction, tracks calls and conditional jumps, simplifies, deobfuscates, and disassembles the resulting code. The script avoids jumping over calls with a specific operand value because not all calls result in returns.
Itโs important to note that while this approach was specifically tailored for deobfuscating GuLoader, the same general techniques could be applied to other malware samples as well. However, bear in mind that each malware sample might have unique obfuscation techniques, necessitating the development of specific optimization strategies.
ANY.RUN has explored one potential approach to deobfuscating GuLoader, which entails identifying common obfuscation patterns and neutralizing them using various techniques.
Read more with the code & scripts examples in the article at ANY.RUN.
Vlada Belousova
ANYRUN FZCO
2027889264
email us here