Live Stream VOD: SmokeLoader Analysis Part 1 - Deobfuscation (Patreon)

This is our first look at SmokeLoader, we begin with analysis of Stage 2 (unpacked automatically). The binary is obfuscated using a mixture of simple opaque predicates, and encrypted functions that are decrypted on the fly. 

Honestly, this is a very slow paced stream. We do make progress and end up with a binary that is fully deobfuscated but there are many tricks still before we can extract Stage 3! You can skip ahead about 2h to get to the real deobuscation work. 

Samples

• Packed parent cef4f5f561b5c481c67e0a9a3dd751d18d696b61c7a5dab5ebb29535093741b4
• Unpacked SmokeLoader 041a05dd902a55029449bf412cedbe59a593f8d4e67d4ae37cf7a928c92f22ca

Notes

SmokeLoader Triage