Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Prologue

Previously, in the first part of this article, we used Cutter, a GUI for radare2, to statically analyze APT33’s Dropshot malware. We also used radare2’s Python scripting capabilities in order to decrypt encrypted strings in Dropshot. If you didn’t read the first part yet, I suggest you do it now.

Today’s article will be shorter, now that we are familiar with cutter and r2pipe, we can quickly analyze another interesting component of Dropshot — an encrypted resource that includes Dropshot’s actual payload. So without further ado, let’s start.

Read on megabeets.net

Tags:
Itay Cohen
Itay Cohen

Itay Cohen (aka Megabeets) is a security researcher and a reverse engineer. He is a maintainer of Cutter and a core member of Rizin.