Realizing that there is no article or tutorial on the subject on the Internet, I decided to write this post if you ever were to analyze a malware with similar characteristics that I’m about to describe. Hopefully this information will be useful to you as it was to me without the effort to spend some time searching on the Internet on how to perform a static analysis on malware packed with Py2Exe.
A couple of weeks ago, I came across a malware called Nueva_Carpetaa.exe (this translate to New Folder.exe) that had infected a server and several other computers in the network. Nothing really interesting about this malware except that it was packed with Py2Exe which means that it was originally coded in Python then converted to executable so that it could run on a Windows machine without the need of a Python interpreter. So I thought to myself; is there a way or actually, is it even possible to obtain the original source code of this malware? After hours of searching on Google and doing some research, I was able to extract the majority of the source code. In this blog post, I will outline the steps I have taken and demonstrate the free tools I used to accomplish this.
For a quick behavior analysis of the malware, I submitted a sample to ThreatExpert. A report was generated and I quickly went over the details to see what this malware does once it infects a Windows host. In the Submission details section of the report, a Kaspersky Lab signature detected that this malware was packed with Py2Exe.
This caught my attention and I investigated further. To see if Nueva_Carpetaa.exe was really packed with Py2Exe, I copied the malware sample to my SIFT Forensic Workstation and I used the
strings command line tool to list all readable strings from the executable. Immediately, it was evident that this malware was programmed in Python.
As you can see in the picture above, the string PYTHON25.DLL indicates that the malware was written using Python 2.5 and that this Python interpreter library was bundled into the executable. And if we do a strings and grep it with the word py2exe, we get the following strings.
unzip, we were able to extract files bundled with the executable. Examining the files extracted, we can clearly see that the majority of the files are Python bytecode because of the .pyo file extension. PYO files are Python compiled optimized codes which are generated when the Python interpreter is invoked with the
-o flag. The purpose for compiling Python files is to speed up the start-up time for short programs that use a lot of standard modules. When
-o is used, all bytecode is optimized and the
assert statements is removed.
As seen above, besides the malware executable itself, we only see standard Python modules. So far, no malicious Python compiled codes were extracted, that’s not to say that these modules are malicious, but based on the modules name and for the brevity of this article, we’ll assume that they are safe.
So far so good, but we still need to find the malicious code. While researching, I found this interesting post , and in it, the source code for a Python tool conveniently called exe2py. Judging by the name, we could assume that this tool takes an executable and converts it to Python, however, it’s not that straightforward as it sounds. What this tool actually do is extract additional files that are embedded in the executable itself which were not in the zip file. This will be much clearer once I run this tool as so.
The two new files are boot_common.pyo and test.pyo; boot_common.pyo is a boot script that Py2Exe uses. The interesting file here is test.pyo. By the looks of the given name, it does not sound like a standard module, therefore, could very be the main code we are looking for.
Since test.pyo is compiled, meaning that this is a machine language code, we’ll need another Python tool to decompile the file and obtain the original source code. Back in 2010, security researcher Rich Smith presented a talk entitled “In Memory Reverse Engineering for Obfuscated Python Bytecode”. Mr. Smith explained how nowadays authors want to protect their Python applications source code from competitors by using a number of tools and techniques. Mr. Smith developed a proof-of-concept Python tool called pyREtic for the purpose of decompiling obfuscated executable from memory. The tool was created for the need to reverse engineer and obtain the source code for analysis of possible vulnerabilities, bugs and license infringements. This tool is also a great way to analyze malicious executable that were coded in Python as you will see in the following.
In order to use pyRetic on Nueva_Carpetaa.exe, we’ll need to install Python 2.5 to our malware lab system since the tool needs the same libraries that the malware author used to code the malware. Additionally, the PyWin32 module is required in order to successfully run pyRetic against this malware. After installing Python and the required module, navigate to pyRetic directory and run REpdb.py.
Immediately you’ll be entered in the program’s shell interface. Next, create a new project by issuing the
set_project command and then the name of the project. For this project, I called it
In my case I chose version 2.5.4 since that is the Python version I’ve installed on my malware lab system. REpdb will then attempt to connect to the Internet and download the Runtime version that was chosen; decompress it and save it to pyREtic Downloaded_Runtimes folder. The new project will then be created in pyREtic Project folder and all source code output will now be saved in the new project’s sourcecode folder.
To decompile the test.pyo file, used the first available command
fs_um_decompile from pyREtic HOWTO.txt and then the name of the file you want to decompile.
Upon hitting enter, you will noticed that pyREtic appeared to decompiled most of the test.pyo file except 13 code blocks. An “INCOMPLETE DISASSEMBLY” error message was given to me. However, most of the source code was saved in my new project folder. Remember that pyREtic is in its infancy and there will most likely be bugs, but for the most part it works.
Navigating to where the source code was written, you will see that test.py file was created. The .py file extension indicates that this is a Python source code which is readable and ready for examination.
After analyzing the full source code for this particular malware, I concluded that Nueva_Carpetaa.exe is more of nuisance than a threat. The code simplicity and lack of real malicous intent may suggest that this malware is a prototype for testing a new malware coded in Python. The following is a brief assessment of the malware if you’re intrested:
Nueva_Carpetaa.exe is more of a nuisance than than a threat. Its propagation method is to infect computer with a copy of itself in the root of c:\ drive and in other volume drives that it finds available within the host. The autorun.inf files are created and copied to all available drives except the c:\ and d:\ drive. This will execute the malware automatically if the autorun is set on the computer. In addition, the malware installs itself in Windows System32 folder and is given a new generated program name by randomly choosing a name based on a list of predefine prefixes which then it will append a random character from b to y. After installing itself, the malware becomes hidden by setting the appropriate file attributes. For the malware to remain persistent; it adds itself to the Windows Registry so anytime that the computer is rebooted, the malware is automatically executed. Furthermore, to make removal difficult, the malware modifies a couple of Registry values to disable Task Manger (Taskmgr.exe) and the Windows registry editors (Regedt32.exe and Regedit.exe). And finally the Internet Explorer Home Page is set to hxxp://www.wrops.com/?, which redirects the user to hxxp://www.bubusca.com. At the time of the investigation, this website did not contain any suspicious or malicious code. However, this website has a history of hosting malware and containing illegal content.
As far as the origin of this malware is concern, Spanish contents were found in the source code and the domain owner of bubusca.com is based in Peru, there’s a possibility that the author of the malware is from that country.
Well, that’s it. If you have any questions or comments please post them below. I hope you enjoy this article and find it helpful in reversing malware packed with Py2Exe.