Reverse engineering is the critical part when doing malware analysis !!! Recently I did some self study and observed one malware downloaded from VirusTotal is packaged by PyInstaller, so I spent time to study how to decompile/dissemble it. I believe it’s simple to some experienced reverse engineer but it worth to me to note here. I will list few steps below.
Identify the binary packaged by PyInstaller
Firstly, you have to have one malware packaged by PyInstaller. Luckily I got one from VirusTotal.
I downloaded it into my Linux box. I usually start it from file command to see what the file type is and then use strings to see if there is any interesting strings inside this binary
Apparently, this is the PE executable file and you can observe there are some Python related strings inside this executable file. So this binary is highly suspicious packaged by PyInstaller. So the next step would be to extract the content inside this PyInstaller generated executable file.
Extract the content
In order to extract the content of PyInstaller generated executable, I searched around and got one Github repo here. It’s the Python script to extract all the content inside this executable. Please use the following command to execute it.
# git clone https://github.com/extremecoders-re/pyinstxtractor.git
# cd pyinstxtractor/
# python3.11 pyinstxtractor.py 1f18d3407038bcd985ff480be2c729b4fd33c36bbffd8bcfb18574ee24b100a9
Once you finish it, one folder will be created and all the extracted content would be put under this folder.
As you can see from the above screenshot, there are multiple pyc files under this folder. There is one file named redtrace.pyc catching my eyeballs. So I would go to decompile this pyc file first to see if there is any interesting thing inside it. You can use uncompyle6 to decompile it, but today I would like to introduce pycdc to do it.
Get the original human-readable Python code
Following is the commands I executed to compile my pycdc.
# git clone https://github.com/zrax/pycdc.git
# cd pycdc
# cmake .
# make
# make test
Once you successfully compile you pycdc, you can run it against to the pyc file and translate compiled Python byte-code back into valid and human-readable Python source code.
As you can see from the above screenshots, this one seems a ransomware. You can observe the Bitcoin and email address information, key generation function, Telegram api address and what file extension would be encrypted as well. So I assume this ransomware will encrypt all files with those file extension and send the encryption key to the specific Telegram channel.
Conclusion
Using these steps could reveal some interesting content inside the PyInstaller generated executable and can help you to identify if this file belongs to which hacking campaign. I hope this article would help you in any way. Wish you folks happy hacking and happy reverse engineering.
