Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Prologue

Previously, in the first part of this article, we used Cutter, a GUI for radare2, to statically analyze APT33’s Dropshot malware. We also used radare2’s Python scripting capabilities in order to decrypt encrypted strings in Dropshot. If you didn’t read the first part yet, I suggest you do it now.

Today’s article will be shorter, now that we are familiar with cutter and r2pipe, we can quickly analyze another interesting component of Dropshot — an encrypted resource that includes Dropshot’s actual payload. So without further ado, let’s start.

Read on megabeets.net

Tags:
Itay Cohen
Itay Cohen

Itay Cohen (aka Megabeets) is a security researcher and a reverse engineer. He is a maintainer of Cutter and a core member of Rizin.

Cutter 2.0 Release
Cutter 2.0 Release
Read More
Improving Decompiler Widget - GSoC Project
Improving Decompiler Widget - GSoC Project
Read More
Cutter Community Survey 2020
Cutter Community Survey 2020
Read More
5 Ways to patch binaries with Cutter
5 Ways to patch binaries with Cutter
Read More
Defeating a Ransomware using Cutter's Emulation
Defeating a Ransomware using Cutter's Emulation
Read More
Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2
Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2
Read More
Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1
Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1
Read More