This post will explain, how to identify a function responsible for string deobfuscation in a native-PE malware sample. We will use a
KpotStealer sample as a concrete example. KpotStealer (aka
Khalesi or just
Kpot) is a commodity malware family probably circulated in the shadowy parts of the internet since 2018. It got its name from a string publicly present on the Admin-Panel.
After we found the function we will understand the data structure it uses and emulate the decryption of a string with CyberChef and
Binary Refinery. An interesting detail here is that Ghidra currently does not guess the function signature correctly.
Finally, we will develop a Java script (hehe) for Ghidra to automatically deobfuscate all strings given the corresponding obfuscation function.
Show me what you got!