Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/ffri/jsac2023-golangmalwareanalysis

Scripts introduced in JSAC2023 presentation on analysis of Go language malware

https://github.com/ffri/jsac2023-golangmalwareanalysis

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (6.0%) to scientific vocabulary
Last synced: 9 months ago · JSON representation

Repository

Scripts introduced in JSAC2023 presentation on analysis of Go language malware

Basic Info
  • Host: GitHub
  • Owner: FFRI
  • License: apache-2.0
  • Language: Python
  • Default Branch: master
  • Size: 2.2 MB
Statistics
  • Stars: 5
  • Watchers: 1
  • Forks: 1
  • Open Issues: 0
  • Releases: 0
Created over 3 years ago · Last pushed over 3 years ago
Metadata Files
Readme License

README.md

How Do We Fight Against Evolving Go Language Malware? : Practical Techniques to Improve Analytical Skills (進化するGo言語製マルウェアとどう戦うか?: 解析能力向上に向けての実践的テクニック)

I gave a presentation at JSAC on the analysis of Go malware. Here is the script we presented at that time.

Content

Ghidra script to deobfuscate strings of Go malware with gobfuscate

degobfuscate.py

This Ghidra script deobfuscates strings of Go malware with gobfuscate like ChaChi and Blackrota. The script is provided as a part of GolangAnalyzerExtension plugin, so it can be run from Ghidra's Script Manager once this plugin is installed. Please note that it will not work without this plugin.

Below is a the result of deobfuscating malware ChaChi with degobfuscate.py.
SHA256: 8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b

main.init function

Radare2 script to resolve function names in Go binary supporting Go 1.18

gohelper_go118.py

gohelper_go118.py is a script that makes gohelper.py, which does not support Go 1.16 or later, compatible with Go 1.18. However, this script does not support versions prior to Go 1.18. The commit is here.

Below are the results of resolving function names of malware Chaos with gohelper_go118.py using afl and pdf commands.
SHA256: ebe0f9855eb8f6bd980ed60c26e3a877dc1ace5d664e248bb0558996fe0bd06f

afl command
pdf command

Owner

  • Name: FFRI Security, Inc.
  • Login: FFRI
  • Kind: organization
  • Location: Tokyo, Japan

Next Generation Security

GitHub Events

Total
Last Year

Issues and Pull Requests

Last synced: about 1 year ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels