GitHub - FFRI/JSAC2023-GolangMalwareAnalysis: Scripts introduced in JSAC2023 presentation on analysis of Go language malware
Skip to content

Scripts introduced in JSAC2023 presentation on analysis of Go language malware

License

Notifications You must be signed in to change notification settings

FFRI/JSAC2023-GolangMalwareAnalysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

How Do We Fight Against Evolving Go Language Malware? : Practical Techniques to Improve Analytical Skills (進化するGo言語製マルウェアとどう戦うか?: 解析能力向上に向けての実践的テクニック)

I gave a presentation at JSAC on the analysis of Go malware. Here is the script we presented at that time.

Content

Ghidra script to deobfuscate strings of Go malware with gobfuscate

degobfuscate.py

This Ghidra script deobfuscates strings of Go malware with gobfuscate like ChaChi and Blackrota. The script is provided as a part of GolangAnalyzerExtension plugin, so it can be run from Ghidra's Script Manager once this plugin is installed. Please note that it will not work without this plugin.

Below is a the result of deobfuscating malware ChaChi with degobfuscate.py.
SHA256: 8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b

main.init function

Radare2 script to resolve function names in Go binary supporting Go 1.18

gohelper_go118.py

gohelper_go118.py is a script that makes gohelper.py, which does not support Go 1.16 or later, compatible with Go 1.18. However, this script does not support versions prior to Go 1.18. The commit is here.

Below are the results of resolving function names of malware Chaos with gohelper_go118.py using afl and pdf commands.
SHA256: ebe0f9855eb8f6bd980ed60c26e3a877dc1ace5d664e248bb0558996fe0bd06f

afl command

pdf command

About

Scripts introduced in JSAC2023 presentation on analysis of Go language malware

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages