Skip to content
/ ezuri_unpack Public

Simple unpacking script for Ezuri ELF Crypter

dissectingmalwa.re

License

MIT license
30 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f0wl/ezuri_unpack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
img
img
 
 
testfiles
testfiles
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ezuri_unpack.go
ezuri_unpack.go
 
 
go.mod
go.mod
 
 

Repository files navigation

Go Report Card

ezuri_unpack

A simple unpacking script for the Ezuri ELF Crypter. Based on the analysis done by Ofer Caspi and Fernando Martinez of AT&T Alien Labs: https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

ezuri_unpack.go screenshot

How does it work?

The payload is encrypted with AES CFB and will be decrypted and run via memfd_create by the stub. Key and IV are stored in the binary.

Hex Editor, POC executable

Testing the script

  1. Build the test payload gcc test.c -o test
  2. Build and run guitmz/ezuri
  3. To unpack it again: go run ezuri_unpack.go packed.bin

I also tested it with the packed Linux.Cephei sample mentioned in the report. Link to Virustotal

About

Simple unpacking script for Ezuri ELF Crypter

dissectingmalwa.re

Topics

malware-analysis unpacker

Resources

Readme

License

MIT license
Activity

Stars

30 stars

Watchers

3 watching

Forks

5 forks
Report repository

Languages