{
	"id": "5e28034c-9260-4e52-a707-bc87c590dde4",
	"created_at": "2026-05-05T02:45:18.427307Z",
	"updated_at": "2026-05-05T02:46:36.971085Z",
	"deleted_at": null,
	"sha1_hash": "54e937e419b63d59a83dacb415bcb32ca7ec4597",
	"title": "Automatic Gobfuscator Deobfuscation with EKANS Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1414617,
	"plain_text": "Automatic Gobfuscator Deobfuscation with EKANS Ransomware\r\nBy Jacob Pimental\r\nPublished: 2021-03-17 · Archived: 2026-05-05 02:04:34 UTC\r\n17 March 2021\r\nBy Jacob Pimental\r\nA few months ago I saw an article by Netlab 360 describing the malware BlackRota, specifically the obfuscation\r\nmethod used known as gobuscate. I noticed that a deobfuscator was made for this using Binary Ninja’s API, so I\r\ndecided to take a crack at developing a plugin for Cutter. To demonstrate the tool I created, I will also give a brief\r\nanalysis of another malware sample that uses gobfuscate, Ekans.\r\nHow Gobfuscate Works\r\nPackage Renaming\r\nOne of the things gobfuscate will do is rename package names to make it harder for analysts to identify them. It\r\ndoes this by taking the package name, hashing it using sha256, and replacing any numbers in the hash with letters\r\nusing the algorithm:\r\n’g’ + (x – ‘0’) # x is the current character\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 1 of 9\n\nThis means that the package name contains only the characters a-p and is irreversible. The example that the\r\ngobfuscate GitHub page gives is that the package github.com/unixpickle/deleteme becomes\r\njiikegpkifenppiphdhi/igijfdokiaecdkihheha/jhiofoppieegdaif .\r\nString Encryption\r\nEach string in the binary is replaced by a function call. Each function contains two byte-arrays that are Xor’d\r\ntogether to return the original string. There are a few different ways that the byte-arrays are stored after the binary\r\nis compiled. The first way was through a hardcoded array.\r\nNormal byte-array XOR Loop\r\nThe byte-arrays can also be stored in pointers, which are run through the function stringslicetobyte and\r\nXOR’d together.\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 2 of 9\n\nByte-arrays being stored in pointers\r\nThese differentiations were noted when designing the deobfuscator, as not all functions will be the same. The\r\nnames for the string decryption functions always contain funcN at the end, where N is an integer value. This\r\nmakes them easy to spot and write a decryptor for.\r\nHow the Deobfuscator Works\r\nUsing Cutter’s API I was able to create a plugin that will either deobfuscate the string encryption function that the\r\ncursor is on or bulk deobfuscate all strings in the current method. To install the deobfuscator you will need to\r\nknow the location in which Cutter stores plugins. You can find this by going to Edit -\u003e Preferences -\u003e\r\nPlugins in Cutter.\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 3 of 9\n\nPlugin location for Cutter\r\nThen download the python script from the GitHub repository and move it into the Python folder under\r\nplugins . Cutter will need to be reloaded after this. To use the plugin, right-click on a gobfuscate function then\r\nselect either Plugins -\u003e DeGobfuscate or Plugins -\u003e Bulk DeGobfuscate . The decrypted string is added as a\r\ncomment above the function. If the comment doesn’t appear right away, go to View -\u003e Refresh Contents to\r\nrefresh the screen, which should show the comment.\r\nExample of encrypted string function\r\nThe deobfuscator utilizes Cutter’s API to loop through the assembly code in the function and grab the two byte-arrays that are present. It will then XOR these together and create a comment at the location. It also checks to see\r\nif the arrays are stored in either a pointer or are hardcoded into the function.\r\nEkans Analysis\r\nThe Ekans ransomware has been associated with attacks on Industrial Control Systems (ICS). Ekans does not rely\r\non outside resources to perform its functions. Everything is stored within the binary itself, mostly using the\r\ngobfuscate string encryption functions. This makes it an ideal candidate for testing the degobfuscate plugin. You\r\ncan find this specific sample on Hybrid Analysis. The first step in this analysis will be to use rizin-gohelper to\r\nrecover the function names from the gopclntab.\r\nThe first thing the ransomware will do is attempt to create a Mutex Global\\EKANS . If that Mutex already exists\r\nthen execution will end. It will then create the public key object that it will use to encrypt files using RSA. The\r\npublic key is stored in a string in the main.main function, which was encrypted by gobfuscate. After running the\r\ndeobfuscator over this, the public key is shown in a comment above the decryption function. It is best to view\r\nmulti-line comments in the disassembly view in Cutter since the graph view only shows the first line. This string\r\nwill then be passed to Golang’s pem.Decode function and later the ParsePKCS1PublicKey function.\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 4 of 9\n\nCreation of Public Key\r\nAfter this, the ransomware will create an array of objects to whitelist. This includes file extensions, file names,\r\ndirectories, and a regex statement. The lists are:\r\nFile extensions:\r\n.docx\r\n.dll\r\n.exe\r\n.sys\r\n.mui\r\n.tmp\r\n.lnk\r\n.config\r\n.manifest\r\n.tlb\r\n.olb\r\n.blf\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 5 of 9\n\n.ico\r\n.regtrans-ms\r\n.devicemetadata-ms\r\n.settingcontent-ms\r\n.bat\r\n.cmd\r\n.ps1\r\nFile names:\r\ndesktop.ini\r\niconcache.db\r\nntuser.dat\r\nntuser.ini\r\nntuser.dat.log1\r\nntuser.dat.log2\r\nusrclass.dat\r\nusrclass.dat.log1\r\nusrclass.dat.log2\r\nbootmgr\r\nbootnxt\r\nwindir\r\nSystemDrive\r\nntldr\r\nNTDETECT.COM\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\ndesktop.ini\r\nctfmon.exe\r\niconcache.db\r\nntuser.dat\r\nDirectories:\r\n:\\\\$Recycle.Bin\r\n:\\\\ProgramData\r\n:\\\\Users\\\\All Users\r\n:\\\\Program Files\r\n:\\\\Local Settings\r\n:\\\\Boot\r\n:\\\\System Volume Information\r\n:\\\\Recovery\r\n\\\\AppData\\\\\r\nRegex:\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 6 of 9\n\n.+\\\\Microsoft\\\\(User Account Pictures|Windows\\\\(Explorer|Caches)|Device\r\nStage\\\\Device|Windows)\\\\\r\nAll of these strings were encrypted via gobfuscate, which is why the “bulk” option exists. Ekans will then\r\nenumerate drives and grab a list of all files that do not match the whitelists. This new file list will later be passed\r\nto worker threads for encryption.\r\nWhitelist creation function\r\nThe ransomware will then kill a list of 288 hard-coded services. Instead of listing all of the services in this article\r\nhere, you can find them here. The Ekans process will then kill a list of 1118 processes, which are also included in\r\nthe linked repository. Ekans will then delete shadow copies using a WbemScripting.SWbemLocator object with the\r\nfollowing WMI query:\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 7 of 9\n\nSELECT * FROM Win32_ShadowCopy\r\nAfter this, the ransomware will create several threads and pass in the filenames to these via GolLang’s channel\r\nfunctions. The threads will take the filenames, encrypt the files, and write them back to disk.\r\nLoop used to create encryption threads\r\nFinally, the ransom note is dropped to the file Fix-Your-Files.txt . The note itself is hard-coded and uses the\r\nsprintf function with the ransomware author’s email to format the note, which in this case is\r\nbapcocrypt@ctemplar.com .\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 8 of 9\n\nUnformatted Ransom Note\r\nConclusion\r\nI did not want to delve too deep into the Ekans ransomware analysis as this was to demonstrate the usefulness of\r\nthe degobfuscator plugin. This was my first attempt at making a plugin for Cutter and I enjoyed the challenge very\r\nmuch. I am excited to see what Cutter has in store for the future and will continue to make plugins for it to aid\r\nother analysts. As always, if you have any questions feel free to reach out to me on my Twitter or LinkedIn.\r\nThanks for reading and happy reversing!\r\nMalware Analysis, GoLang, Cutter, Ekans, Ransomware\r\nMore Content Like This:\r\nSource: https://www.goggleheadedhacker.com/blog/post/22\r\nhttps://www.goggleheadedhacker.com/blog/post/22\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.goggleheadedhacker.com/blog/post/22"
	],
	"report_names": [
		"22"
	],
	"threat_actors": [],
	"ts_created_at": 1777949118,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54e937e419b63d59a83dacb415bcb32ca7ec4597.pdf",
		"text": "https://archive.orkl.eu/54e937e419b63d59a83dacb415bcb32ca7ec4597.txt",
		"img": "https://archive.orkl.eu/54e937e419b63d59a83dacb415bcb32ca7ec4597.jpg"
	}
}