# [QuickNote] Techniques for decrypting BazarLoader strings **[kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/](https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/)** **1. Overview** February 24, 2022 Usually, to make it more difficult for analysts, malware authors will hide important strings and [only decrypt these strings during runtime. The famous malwares like Emotet,](https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html) [QakBot or](https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html) [TrickBot often use the one or some functions to perform decrypting strings when needed.](https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html) However, on researching and analyzing some other malwares such as Conti, BlackMatter and BazarLoader, instead of using a separate function to decrypt strings, these malwares make it more difficult by saving the encrypted strings on the stack as stack strings. Then, strings are decrypted by XOR-ing with a key value (this value may not be fixed) or through quite complex computation. This technique consumes time of the analyst. The images below are the pseudocode of the Conti and BlackMatter malware. This article uses the BazarLoader samples as an example to demonstrate how to decrypt strings with: Automate resolving with IDAPython script. Emulate code with IDA uEmu plugin. Debugging with IDA Bochs plugin. ----- **2. BazarLoader samples** BazarLoader was first discovered in April 2020. The malware loader has been continuously evolving, allowing attackers to install additional malware, often used for ransomware attacks, dropping Cobalt Strike, and stealing sensitive data. The common assumption is that the distribution and post-exploitation activities of the loader are akin to the Trickbot malware. These samples are all 64-bit Windows executable. [Unpacked sample 1: cc522400b3fed1d2c4dcca16666ddcff](https://www.virustotal.com/gui/file/74f19779e5a8ef2e459a9bf178cf35dc334a8ab97116d22c9e06d88ab3c5ef32/details) [Unpacked sample 2: 63c4bb3f1044f36632ce1759b62296dc](https://www.virustotal.com/gui/file/2465edb954ed8d6760c38481c0a9c1b34989dc9f009db059ddea9a0705f21492/details) **3. Decrypt strings** **3.1. Using IDApython script** Analyzing the first sample of BazarLoader, we will see that it uses the same stack strings decryption technique as in BlackMatter ransomware: [To decrypt these strings, you can use x64dbg to debug or extract the above values and use](https://x64dbg.com/) **[CyberChef to perform the following:](https://gchq.github.io/CyberChef/)** ----- However, debugging with x64dbg or using CyberChef as above will take more time, to make static analysis easier, I will use IDAPython script to decrypt the strings. The code I use is as follows: Load this script into IDA, providing the relevant addresses to perform the decryption: Finally, by using the above script, the analysis process will be much more convenient: ----- 3.2. Using uEmu plugin In the second sample of BazarLoader, the code that decrypt the stack strings is similar to the Conti ransomware and quite complicated: With the code as shown in the figure, the implementation of using IDApython script will be difficult and not feasible. The most suitable solution for this case is to use an emulator to [emulate the code. Here, I will use uEmu, a tiny cute emulator plugin for IDA based on](https://github.com/alexhude/uEmu) unicorn engine. Very easy to emulate the decoding code with uEmu: ----- First, set a breakpoint at the address after the string has been decrypted. Go to the beginning of the function and select the starting address of the function, then start uEmu. The CPU Context Edit window will appear, click OK to continue. uEmu will now initialize the emulator. Check the CPU context to see if the address of the ``` EIP/RIP register is pointed at the beginning of the function: ``` ----- Then, through uEmu Control, you can trace the code by Step or Run to emulates instructions until breakpoint is reached. During execution, uEmu will ask about unmapped memory, select No to continue. ----- Press Step, to trace over the `lea` command. Then using uEmu’s Show Memory **Range feature, enter the address of the** `rdx` register and select Add. The result will be similar to the following: 3.3. Debugging with IDA Bochs Plugin **IDA Bochs debugger plugin allows malware researchers to debug malicious code in a** [safe/emulated environment. For more information please visit [1], [2].](https://hex-rays.com/products/ida/support/idadoc/1329.shtml) In order to debug the code that decrypt the string, we configure the Bochs plugin to work in **IDB mode. This mode is used to debug code snippets by simply selecting the code from the** database. ----- Next, select the position or code snippets to debug, then press F9 to start debugging: From here you can trace the code as usual or simply set a breakpoint at the address after finished decryting the string and press F9. The resulting at `rdx` register will point to the decrypted string as follows: ----- 4. References End. **m4n0w4r** -----