MyNaim, an anagram of the malware family name 'Nymaim', is a collection of IDAPython deobfuscation scripts useful for anyone doing analysis of a Nymaim sample. This is especially so since their obfuscation techniques have more or less been the same throughout the years, so sharing my scripts might save the time of other analysts :)
- Deobfuscates functions used to do a simple register push
to
2. Deobfuscates proxy function calls
to
3. Provides a function to emulate the hashing and xor-ing of strings in Nymaim
4. Provides a function to turn obfuscated offsets to their respective API addresses/namees
- Configure the path to PyEmu in
config.py - Position the cursor anywhere within the text segment of the sample
- Load
main.pyin IDAPro - In the IDAPython interpreter, execute
init(), thendeobfuscate()for as many times as you like :)
Pro tip: You can actually re-run deobfuscate() after renaming your functions in order to update their names in the comments
- Deobfuscate library calls