IDAPython Deobfuscation Scripts for Nymaim Samples
Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README.md
config.py
deobfuscator.py
func_call.py
main.py
reg_push.py
utils.py

README.md

MyNaim

MyNaim, an anagram of the malware family name 'Nymaim', is a collection of IDAPython deobfuscation scripts useful for anyone doing analysis of a Nymaim sample. This is especially so since their obfuscation techniques have more or less been the same throughout the years, so sharing my scripts might save the time of other analysts :)

Feature List

  1. Deobfuscates functions used to do a simple register push

image

to

image 2. Deobfuscates proxy function calls

image

to

image 3. Provides a function to emulate the hashing and xor-ing of strings in Nymaim

7996ad60-4839-11e6-9b94-111a776c0579 4. Provides a function to turn obfuscated offsets to their respective API addresses/namees

screen shot 2016-07-26 at 5 51 32 pm

Usage

  1. Configure the path to PyEmu in config.py
  2. Position the cursor anywhere within the text segment of the sample
  3. Load main.py in IDAPro
  4. In the IDAPython interpreter, execute init(), then deobfuscate() for as many times as you like :)

image

Pro tip: You can actually re-run deobfuscate() after renaming your functions in order to update their names in the comments

Dependencies

Todo

  • Deobfuscate library calls