{
	"id": "77244410-f58a-4f4d-9005-9ae7c7a960ab",
	"created_at": "2026-04-06T01:30:57.935313Z",
	"updated_at": "2026-04-10T03:22:50.272769Z",
	"deleted_at": null,
	"sha1_hash": "78b326ff12f818d0a09073e0f151419c63aba72c",
	"title": "Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2247579,
	"plain_text": "Advanced Cyberchef Techniques - Defeating Nanocore\r\nObfuscation With Math and Flow Control\r\nBy Matthew\r\nPublished: 2024-09-03 · Archived: 2026-04-06 01:06:28 UTC\r\nIntroduction\r\nCyberchef is an incredible tool with powerful features that are rarely documented and can significantly aid an\r\nanalyst in their efforts to deobfuscate malware.\r\nToday we will be investigating such features and how they apply to defeating the obfuscation of a recent .vbs\r\nloader for Nanocore malware.\r\nOur Analysis and Deobfuscation Will Cover...\r\nASCII Charcodes and Character Conversions\r\nAlternating Decimal and Hex Values\r\nAlternating Mathematical Operations (Addition/Division)\r\nFlow Control and Isolation of Values Using Subsections.\r\nLots of regex!\r\nSHA256: c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1\r\nInitial Analysis and Overview of Obfuscation\r\nThe sample in it's initial state contains ~160 lines of code. The majority of this consists of comments that don't\r\ncontribute to the functionality of the code.\r\nThe primary piece of code exists on line 2 and can be seen below. Our analysis will focus only on this line of\r\ncode.\r\nSince our focus is going to be on line 2, we can ignore the remainder of the initial script and remove them using a\r\nregular expression.\r\nThe goal of the regular expression is identify lines that begin with REM or ' , and to capture everything on that\r\nline that follows .*\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 1 of 12\n\nExecuting the regular expression as a Find/Replace results in the following content. The comments are now\r\nremoved and we can focus only on line 2 and it's obfuscation tactics.\r\nIntial Review of Obfuscation\r\nThe obfuscation consists of the same pattern repeated over and over again to produce single characters. These\r\ncharacters are concatenated together to form the deobfuscated code.\r\nThere are 3 primary pieces of the obfuscation.\r\n479808 - Large Decimal Value, this will be converted into a smaller number using math operations.\r\n(\u0026H1b90) - This is a vbs representation of the hex value 0x1B90 .\r\nCLng - This is the function \"Change Long\", this converts the hex representation into a numerical value.\r\n/ - This divides the numbers 479808 and 0x1b90. Resulting in a value in the ASCII range.\r\nchr - The result of the division is converted into a character which will form part of the resulting script.\r\nThe logic is more clear when shown in Python. Here we can see that chr(479808/Clng(\u0026H1B90)) is equal to the\r\ncharacter D .\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 2 of 12\n\nWe've now identified the core concept of the obfuscation, so we can go ahead and recreate this in Cyberchef for\r\nthe entire obfuscated content.\r\nDeobfuscation With Cyberchef\r\nThe obfuscation has now been identified, so we can begin to recreate the logic in Cyberchef.\r\nWe can begin by isolating the encoded portions with a regular expression chr\\([^\\)]+ .\r\nFor the sake of prototyping, we have selected only a small portion of the obfuscated code. This will\r\nallow us to get the recipe working before adding the complete script at the end of our analysis.\r\nIsolating Values With Regular Expressions and Capture Groups\r\nOnce the regex is matching as intended using \"Highlight Matches\", we can change to \"List Capture Groups\".\r\nThis will list out the encoded portions on their own individual lines.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 3 of 12\n\nNormalising Hexadecimal Content\r\nWe now want to clean up the second half of each line by removing the references to CLng(\u0026H .\r\nThe original code is in a format that Visual Basic understands. We want to be in a format that can be understood\r\nby Cyberchef. Our primary goal is to make sure that Cyberchef knows the difference between the hex and decimal\r\nnumbers.\r\nWe can do this with a Find/Replace operation, which will replace the CLng(\u0026H with a 0x .\r\nHere is where things start getting more complicated....\r\nAs we saw before, the decimal and hex values are separated by mathematical operators. The operators are mostly\r\ndivision / but occasionally are addition + as well.\r\nIf we apply a division operator, it will break the lines that require addition. And vice versa. This means we need to\r\nseparate the lines of code that require different mathematical operators.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 4 of 12\n\nWe can do this with Regular Expressions and a Subsection operation. A subsection will apply future operations\r\nonly to lines that match the provided regex.\r\nBelow we can see the regular expression of \\w+\\/\\w+ , this will isolate the lines of code that contain a division\r\noperator.\r\nBefore applying a division operation, we need to add a delimiter to our divided values. Most math operations in\r\nCyberchef require a \"list\" of values rather than an equation.\r\nThe TLDR here is that we need to turn the / into spaces. Luckily we can do this with a simple Find/Replace .\r\nNow that we have applied spacing on the division lines, we can apply a Divide operation and specify a space\r\ndelimiter.\r\nWe can see that this converts the division lines into their repective ASCII charcodes.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 5 of 12\n\nWith the Charcodes ready, we can apply a simple \"From Decimal\" to produce the relevant ASCII character.\r\nNow we can see the beginning of the decoded script.\r\nNow we need to deal with the lines of code containing addition + operators.\r\nSince we previously applied a subsection, we need to leave the subsection and change it to focus on the addition\r\nlines.\r\nTo leave a subsection, we can apply a Merge operation. We should also uncheck \"Merge All\" as there is only a\r\nsingle subsection that we want to leave.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 6 of 12\n\nSubsections and Isolating Specific Lines of Content\r\nAfter leaving the Subsection for division, we can create a new Subsection specifically for Addition.\r\nWe can do this with another regular expression -?\\w+\\+\\w+ . This regular expression accounts for the negative\r\nvalues which may be present.\r\nSimilar to the division operation, we need to remove the + operators and turn the lines into a list separated by a\r\nspace.\r\nWe can this again with a simple Find/Replace\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 7 of 12\n\nNow that we have a clean list for our addition lines, we can apply a SUM operation.\r\nThis will add the values together and produce an ASCII charcode.\r\nWe can now apply a From Decimal operation to obtain the resulting character.\r\nThe obfuscated script now looks much better and no longer contains obfuscated content.\r\nOur deobfuscation prototype is complete, so we can go ahead and remove all subsections and the newlines that\r\nseparated them.\r\nWe can do this with a Merge -\u003e Merge All and Remove Whitespace -\u003e \\r + \\n\r\nThe code output now looks clean and easily readable. So we can go back and add the original obfuscated content.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 8 of 12\n\nNote that we could repeat the previous process if there were other mathematical operations. This script\r\nonly contains Addition and Division\r\nReviewing the Final Results\r\nPasting in the full obfuscated content, we can see the complete deobfuscated result.\r\nWe have now deobfuscated line 2 of the initial script. We won't focus on the remainder of the code, but it\r\neffectively executes a powershell command that runs a Nanocore payload.\r\nOf interest is that the Nanocore payload is contained in the comments of the initial script.\r\nSince we initially removed these comments, we would need to restore them to obtain the final payload.\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 9 of 12\n\nLink To The Sample\r\nThe sample can be found on Malware Bazaar with the following SHA256 and Link.\r\nSHA256: c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1\r\nCyberChef Recipe\r\nThe complete Cyberchef recipe can be found below.\r\nRegular_expression('User defined','chr\\\\(([^\\\\)]+)',true,true,false,false,false,false,'List capture groups')\r\nFind_/_Replace({'option':'Regex','string':'CLng\\\\(\u0026H'},'0x',true,false,true,false)\r\nFork('\\\\n','\\\\n',false)\r\nSubsection('\\\\w+\\\\/\\\\w+',true,true,false)\r\nFind_/_Replace({'option':'Regex','string':'\\\\/'},' ',true,false,true,false)\r\nDivide('Space')\r\nFrom_Decimal('Space',false)\r\nMerge(false)\r\nSubsection('-?\\\\w+\\\\+\\\\w+',true,true,false)\r\nFind_/_Replace({'option':'Regex','string':'\\\\+'},' ',true,false,true,false)\r\nSum('Space')\r\nFrom_Decimal('Space',false)\r\nMerge(true)\r\nRemove_whitespace(false,true,true,false,false,false)\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 10 of 12\n\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 11 of 12\n\nSource: https://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nhttps://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/"
	],
	"report_names": [
		"advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439057,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78b326ff12f818d0a09073e0f151419c63aba72c.pdf",
		"text": "https://archive.orkl.eu/78b326ff12f818d0a09073e0f151419c63aba72c.txt",
		"img": "https://archive.orkl.eu/78b326ff12f818d0a09073e0f151419c63aba72c.jpg"
	}
}