IDAPython Deobfuscation Scripts for Nymaim Samples
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md
config.py
deobfuscator.py Revert CodeRefs type and catch deobfuscation corner cases Jun 27, 2016
func_call.py Revert CodeRefs type and catch deobfuscation corner cases Jun 27, 2016
main.py Add functions to derive API names and addresses from magic values Jul 22, 2016
reg_push.py Only replace comment if not commented Jun 27, 2016
utils.py Add functions to derive API names and addresses from magic values Jul 22, 2016

README.md

MyNaim

MyNaim, an anagram of the malware family name 'Nymaim', is a collection of IDAPython deobfuscation scripts useful for anyone doing analysis of a Nymaim sample. This is especially so since their obfuscation techniques have more or less been the same throughout the years, so sharing my scripts might save the time of other analysts :)

Feature List

  1. Deobfuscates functions used to do a simple register push

    image

    to

    image

  2. Deobfuscates proxy function calls

    image

    to

    image

  3. Provides a function to emulate the hashing and xor-ing of strings in Nymaim

    7996ad60-4839-11e6-9b94-111a776c0579

  4. Provides a function to turn obfuscated offsets to their respective API addresses/namees

    screen shot 2016-07-26 at 5 51 32 pm

Usage

  1. Configure the path to PyEmu in config.py
  2. Position the cursor anywhere within the text segment of the sample
  3. Load main.py in IDAPro
  4. In the IDAPython interpreter, execute init(), then deobfuscate() for as many times as you like :)

    image

Pro tip: You can actually re-run deobfuscate() after renaming your functions in order to update their names in the comments

Dependencies

Todo

  • Deobfuscate library calls