Live Stream VOD: Reverse Engineering Polyglot Dropper Malware STL C++ Stage 3 (Patreon)

In this Twitch stream we reverse engineer the third stage of a polyglot JPG dropper that was distributed via WeChat.

Sample: 7d47e5871efc4c079531513f29926d394922d7954701f34dc6244ea311d20969 

The malware is possibly related to Ghost RAT, based on the use of the export PluginMe.

Full notes can be found in our Lab-Notes

MÖBIUS STRIP REVERSE ENGINEERING

During the stream we received a lot of help from Rolf of Möbius Strip Reverse Engineering. He helped us understand some of the STL type information and after the stream he created a marked-up IDB that can be used as a reference for this binary. 

We are very grateful to Rolf, and would encourage anyone who is interested in advanced reverse engineering courses to check out his courses! 

Rolf IDB: polyglot.idb 

Rolf STL Types script: STL_Types.py 

For those who have older versions of IDA I have attached an IDC script that can be used to create most of the mark-down from Rolf's IDB.