https://github.com/ffri/jsac2023-golangmalwareanalysis
Scripts introduced in JSAC2023 presentation on analysis of Go language malware
Science Score: 26.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (6.0%) to scientific vocabulary
Repository
Scripts introduced in JSAC2023 presentation on analysis of Go language malware
Basic Info
- Host: GitHub
- Owner: FFRI
- License: apache-2.0
- Language: Python
- Default Branch: master
- Size: 2.2 MB
Statistics
- Stars: 5
- Watchers: 1
- Forks: 1
- Open Issues: 0
- Releases: 0
Metadata Files
README.md
How Do We Fight Against Evolving Go Language Malware? : Practical Techniques to Improve Analytical Skills (進化するGo言語製マルウェアとどう戦うか?: 解析能力向上に向けての実践的テクニック)
I gave a presentation at JSAC on the analysis of Go malware. Here is the script we presented at that time.
Content
Ghidra script to deobfuscate strings of Go malware with gobfuscate
This Ghidra script deobfuscates strings of Go malware with gobfuscate like ChaChi and Blackrota. The script is provided as a part of GolangAnalyzerExtension plugin, so it can be run from Ghidra's Script Manager once this plugin is installed. Please note that it will not work without this plugin.
Below is a the result of deobfuscating malware ChaChi with degobfuscate.py.
SHA256: 8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b

Radare2 script to resolve function names in Go binary supporting Go 1.18
gohelper_go118.py is a script that makes gohelper.py, which does not support Go 1.16 or later, compatible with Go 1.18. However, this script does not support versions prior to Go 1.18. The commit is here.
Below are the results of resolving function names of malware Chaos with gohelper_go118.py using afl and pdf commands.
SHA256: ebe0f9855eb8f6bd980ed60c26e3a877dc1ace5d664e248bb0558996fe0bd06f

Owner
- Name: FFRI Security, Inc.
- Login: FFRI
- Kind: organization
- Location: Tokyo, Japan
- Website: https://www.ffri.jp/
- Repositories: 12
- Profile: https://github.com/FFRI
Next Generation Security
GitHub Events
Total
Last Year
Issues and Pull Requests
Last synced: about 1 year ago
All Time
- Total issues: 0
- Total pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Total issue authors: 0
- Total pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0
Past Year
- Issues: 0
- Pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Issue authors: 0
- Pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0