{
	"id": "0493c5fb-80dc-4b8f-b2fa-6bce3a649c73",
	"created_at": "2026-04-06T00:18:30.519325Z",
	"updated_at": "2026-04-10T03:29:24.225204Z",
	"deleted_at": null,
	"sha1_hash": "80148f09cea2ee52e6a885c2de4f3ac817f2d3bb",
	"title": "idapatchwork — Bitbucket",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31805,
	"plain_text": "idapatchwork — Bitbucket\r\nPublished: 2014-11-04 · Archived: 2026-04-05 13:17:16 UTC\r\nPatchwork: Stitching against malware families with IDA Pro (tool for the talk at Spring9,\r\nhttps://spring2014.gdata.de/spring2014/programm.html)\r\nThis repository contains the (unfinished) code for a tool I called patchwork.\r\nIn essence, I use a somewhat fixed / refurbished version of PyEmu along IDA to demonstrate deobfuscation of the\r\ndifferent patterns found in the malware family Nymaim.\r\nAll credits and a big thank you for the original PyEmu go to Cody Pierce\r\nhttps://code.google.com/p/pyemu/\r\nhttps://github.com/codypierce/pyemu\r\nChanges vs. the original PyEmu:\r\npartially fixed the memory management of PyEmu to work more robustly, especially in IDA.\r\nfixed some of the opcode handling that would break when encountering \"rare\" x86 instructions.\r\nrecompiled pydasm with Python 2.7 to have it out of the box compatible with the version found in the last\r\ncouple versions of IDA.\r\nSetup (deobfuscation proof of concept)\r\nCopy the repo into some folder reachable from IDA.\r\nSet the variable PYEMU_PATH in $idapatchwork/patchwork/config.py to the appropriate value.\r\nLoad $idapatchwork/patchwork/INFECTED/nymaim_2f3d6becf1e42614445816302a50d8e2.unp into\r\nIDA.\r\nExecute $idapatchwork/run.py.\r\nIf you just want to benefit from my changes to PyEmu, take the first steps and then you probably want to check\r\nout the modified $idapatchwork/idapyemu.py and find your way on from there. Enjoy.\r\nSource: https://bitbucket.org/daniel_plohmann/idapatchwork\r\nhttps://bitbucket.org/daniel_plohmann/idapatchwork\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://bitbucket.org/daniel_plohmann/idapatchwork"
	],
	"report_names": [
		"idapatchwork"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434710,
	"ts_updated_at": 1775791764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80148f09cea2ee52e6a885c2de4f3ac817f2d3bb.pdf",
		"text": "https://archive.orkl.eu/80148f09cea2ee52e6a885c2de4f3ac817f2d3bb.txt",
		"img": "https://archive.orkl.eu/80148f09cea2ee52e6a885c2de4f3ac817f2d3bb.jpg"
	}
}