DECOMPILING MALWARE WITHOUT PREVIOUS EXPERIENCE [1 OF 2]
Disassembling (Looking at code in machine language, usually "assembly") and decompiling (converting machine code into human-readable code such as C) malware is an art form that for many can be a huge technical undertaking.
Like looking at a prized canvas from several hundred years ago, watching a true malware reverse engineer and looking at their final product is nothing short of amazing. Some of my favorites are:
However, we're not all van Gogh. Heck, some of us aren't much better than stick figure artists, but thanks to the wonderful folks at Avast Threat Labs, we might be able to get some help adding color to our canvas.
While the experts I noted above use products like IDAPro, OllyDbg, Redare2 for disassembling and HexRays and Snowman for decompiling - the barrier to entry is high from a financial and technical skillset perspective.
I should mention, that the folks behind IDAPro recently released an all-new FREE version of their code that will disassemble both 64 and 32-bit binaries.
Avast has helped lower that bar somewhat; as a matter of fact, if you can understand python or C (read/write), you can likely analyze many 32bit binaries using a tool they recently open sourced, https://github.com/avast-tl/retdec.
While the project only supports 32bit binaries (for now), it does give everyone an opportunity to infer their own conclusions when working with malware that may impact family, friends or work organizations.
Take for example this code for the "Wanna Crypt" ransomware that made global headlines in 2017:
We can clearly see the "kill switch" domain that was sink holed to stop the ransomware from executing.
This is mostly because the author did not take any steps to obfuscate it, Even a simple strings search will reveal the domain (without any context). Even the ransom wallet ID's are visible: