Gauss Malware - Deobfuscation of dumped source code 4FB4D2EB303160C5F419CEC2E9F57850

1. Original Bytearray in the dumped C Source Code.c

_BYTE byte_10048400[96] =
{
  0,
  0,
  22,
  -80,
  21,
  -93,
  -125,
  -104,
  -122,
  -28,
  78,
  10,
  -106,
  -88,
  -101,
  72,
  96,
  31,
  70,
  -43,
  124,
  71,
  124,
  91,
  28,
  -75,
  56,
  28,
  7,
  115,
  6,
  -27,
  107,
  25,
  -107,
  119,
  63,
  -86,
  124,
  124,
  32,
  32,
  102,
  102,
  15,
  15,
  99,
  99,
  6,
  6,
  40,
  40,
  75,
  75,
  59,
  59,
  75,
  75,
  75,
  75,
  -76,
  91,
  92,
  -71,
  -7,
  -58,
  -55,
  69,
  87,
  8,
  -28,
  -116,
  82,
  -92,
  19,
  104,
  62,
  40,
  -15,
  -12,
  -100,
  -111,
  72,
  -103,
  13,
  -92,
  123,
  25,
  -24,
  67,
  -14,
  117,
  33,
  122,
  0,
  0
};

2. References to this bytearray in the dumped C Source.c

v9 = sub_10013E60(byte_10048400)

3. Subroutine Source referencing to the Bytearray in dumped C Source.c

_BYTE *__usercall sub_10013E60@<eax>(_BYTE *a1@<esi>)
{
  int v1; // eax
  int v2; // edi
  bool v3; // zf
  unsigned int v4; // edi
  char v5; // dl
  unsigned int v6; // eax
  char v7; // cl

  if ( *a1 )
    return a1 + 38;
  v1 = (unsigned __int8)a1[2];
  v2 = (char)a1[1] << 8;
  v3 = v1 + v2 == 0;
  v4 = v1 + v2;
  *a1 = 1;
  v5 = 82;
  v6 = 0;
  if ( v3 )
    return a1 + 38;
  do
  {
    v7 = a1[v6 + 38];
    a1[v6 + 38] = v5 ^ v7;
    ++v6;
    v5 = v7;
  }
  while ( v6 < v4 );
  return a1 + 38;
}

4. Decryption of the XOR'ed Bytearray using previous encryption algorithm.py

def decrypt_byte_array(byte_array):
    if byte_array[0] != 0:
        return byte_array[38:]

    v1 = byte_array[2]
    v2 = byte_array[1] << 8
    v4 = v1 + v2
    
    byte_array[0] = 1
    v5 = 82
    v6 = 0

    if v4 == 0:
        return byte_array[38:]

    while v6 < v4:
        v7 = byte_array[v6 + 38]
        byte_array[v6 + 38] = v5 ^ v7
        v5 = v7
        v6 += 1

    return byte_array[38:]
#################################################################################
# Original byte array found from the dumped C Source code
byte_10048400 = [
    0, 0, 22, -80, 21, -93, -125, -104, -122, -28, 78, 10, -106, -88, -101, 72,
    96, 31, 70, -43, 124, 71, 124, 91, 28, -75, 56, 28, 7, 115, 6, -27, 107, 25,
    -107, 119, 63, -86, 124, 124, 32, 32, 102, 102, 15, 15, 99, 99, 6, 6, 40, 40,
    75, 75, 59, 59, 75, 75, 75, 75, -76, 91, 92, -71, -7, -58, -55, 69, 87, 8,
    -28, -116, 82, -92, 19, 104, 62, 40, -15, -12, -100, -111, 72, -103, 13, -92,
    123, 25, -24, 67, -14, 117, 33, 122, 0, 0
]
#############################################################################
# Convert signed bytes to unsigned
byte_10048400 = [b & 0xFF for b in byte_10048400]

# Decrypt the byte array
decrypted_array = decrypt_byte_array(byte_10048400)

# Print the decrypted byte array
print(decrypted_array)

5. Output of decrypted bytearray

[46, 0, 92, 0, 70, 0, 105, 0, 108, 0, 101, 0, 46, 0, 99, 0, 112, 0, 112, 0, 0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19, 104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242, 117, 33, 122, 0, 0]

6. translating decrypted bytearray into UTF16 strings.py

import struct

def decode_byte_array(byte_array):
    # Convert bytes to list of integers
    byte_list = list(byte_array)
    
    # Decode UTF-16 string from the first part of the byte array
    utf16_chars = []
    for i in range(0, len(byte_list), 2):
        if byte_list[i] == 0 and byte_list[i + 1] == 0:
            break
        utf16_chars.append(chr(byte_list[i] + (byte_list[i + 1] << 8)))
    utf16_string = ''.join(utf16_chars)
    
    # Decode remaining bytes as structured data (assuming integers)
    remaining_bytes = byte_list[len(utf16_chars) * 2:]
    
    # Ensure remaining_bytes has an even length
    if len(remaining_bytes) % 2 != 0:
        remaining_bytes = remaining_bytes[:-1]  # Remove the last byte if odd length
    
    struct_format = '<' + 'B' * (len(remaining_bytes))
    
    try:
        structured_data = struct.unpack(struct_format, bytes(remaining_bytes))
        return utf16_string, structured_data
    except struct.error as e:
        print(f"Error decoding structured data: {e}")
        return utf16_string, None

####################################################################################
# Output from XOR decrypted bytearray from previous step, copy paste
byte_array = [
    46, 0, 92, 0, 70, 0, 105, 0, 108, 0, 101, 0, 46, 0, 99, 0, 112, 0, 112, 0,
    0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19,
    104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242,
    117, 33, 122, 0, 0
]
####################################################################################

# Decode the byte array
utf16_string, structured_data = decode_byte_array(byte_array)

# Print the decoded results
print("Decoded UTF-16 String:", utf16_string)
print("Structured Data:", structured_data)

7. Output from UTF16 translated bytearraay

Decoded UTF-16 String: .\File.cpp
Structured Data: (0, 0, 180, 91, 92, 185, 249, 198, 201, 69, 87, 8, 228, 140, 82, 164, 19, 104, 62, 40, 241, 244, 156, 145, 72, 153, 13, 164, 123, 25, 232, 67, 242, 117, 33, 122, 0, 0)

filehashes.txt

Cracking the XOR encryption scheme of winshell.ocx of Gauss: 4FB4D2EB303160C5F419CEC2E9F57850.7z
Samples: https://vx-underground.org/Samples/Families/Gauss