{
	"id": "7dae2987-2892-4b5d-a862-35e0994ff2ae",
	"created_at": "2026-04-06T00:20:20.150664Z",
	"updated_at": "2026-04-10T03:21:01.407242Z",
	"deleted_at": null,
	"sha1_hash": "b8641fe5d12fe4a2a645d28ca94c79f7bad0e6a1",
	"title": "Reversing Py2Exe binaries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2200404,
	"plain_text": "Reversing Py2Exe binaries\r\nBy Published by biebsmalwareguy View all posts by biebsmalwareguy\r\nPublished: 2018-02-14 · Archived: 2026-04-05 21:29:33 UTC\r\nWell, today, I came across an oddity that required digging a little deeper.  I saw a C:\\boots\\syswin.exe, and I know\r\nthat shouldn’t be there.  A Virustotal check showed a high detection rate, but nothing that really explained what the\r\nfile is, or does.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 1 of 13\n\nI used 7zip to open the file, and saw a lot of .pyc files inside, so this is Python related.  Probably a Py2exe binary. \r\nPy2exe is a program which takes a Python script, compiles it, along with any necessary modules, and packages\r\nthem with a small Python interpreter, into an executable.  To verify, I ran:\r\nPYTHONSCRIPT is the resource which contains the original Python script.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 2 of 13\n\nNow…how to go about getting the original script out of the exe?  A quick Google search showed me that there are\r\na lot of tools out there for this…and hours of reading and trial-and-error showed me that almost none of them\r\nwork.  Finally, I found rePy2exe.  Thankfully, this one worked quite well.\r\nThe reverse ‘exe \u003e py’ functionality errored out, but I was able to use unpy2exe to recover the .pyc file for\r\nPYTHONSCRIPT.\r\nNow, I could use option 3 (Reverse Pyc -\u003e Py) in rePy2exe to get the source code back.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 3 of 13\n\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 4 of 13\n\nThen I saw “Segmentation fault,” which, if you don’t know, is a bad thing.  After a moment, though:\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 5 of 13\n\nSo…it looks like it worked…but I don’t expect to see a 250M Python script.\r\nStill…when I opened it, it looked like a Python script.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 6 of 13\n\nOn scrolling down, it was clear that the only issue (and what caused the segfault) was that it printed the Python\r\nscript over and over and over until it segfaulted at 250M…so, all I had to do is find where the first one ended,\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 7 of 13\n\ncopy/pasta, and then I could tear it apart.\r\nThis is a bit more manageable.\r\nNow, to read the thing.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 8 of 13\n\nSo, imports and var declarations, then we see that it’s got functionality to copy itself to USB.  Awesome.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 9 of 13\n\nThen we see functionality to, essentially, destroy every executable on disk by unlinking them…but only if it’s a\r\nfixed disk.  It won’t kill USB.  After that, there’s some tasklist stuff…frankly, I’m not a Python god, so I’m not\r\ncertain what’s going on there.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 10 of 13\n\nIt queries the runkey…and adds itself.\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 11 of 13\n\nSome more stuff for copying itself to USB…\r\nAnd closes with some conditionals…\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 12 of 13\n\nSo, basically, it checks to see if C:\\txt.txt exists, and whether the date is before 2016/4/3 or earlier.  If not, it\r\nlaunches newthread1, which is the code to destroy all the executables.  Pretty fun stuff, right?\r\nNotice, there’s no backdoor/RAT functionality, or any network capability at all.  There’s nothing to be gained\r\nhere.  This was written by an asshole, just to showcase his or her assholery.  Presumably, it was initially written as\r\na logic bomb, prior to 4/3/2016, and left to propagate via USB until that time, when it would explode and kill\r\neveryone’s files.  Clearly, this was written by a very nice guy, right?  Anyway…after all the time spent figuring\r\nout how…it turns out it’s pretty easy to tear these apart.  So that much, at least, is a plus.\r\nSource: https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nhttps://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/\r\nPage 13 of 13\n\n  https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/     \nOn scrolling down, it was clear that the only issue (and what caused the segfault) was that it printed the Python\nscript over and over and over until it segfaulted at 250M…so, all I had to do is find where the first one ended,\n   Page 7 of 13   \n\n  https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/     \nThen we see functionality  to, essentially, destroy every executable on disk by unlinking them…but only if it’s a\nfixed disk. It won’t kill USB. After that, there’s some tasklist stuff…frankly, I’m not a Python god, so I’m not\ncertain what’s going on there.      \n   Page 10 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/"
	],
	"report_names": [
		"reversing-py2exe-binaries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8641fe5d12fe4a2a645d28ca94c79f7bad0e6a1.pdf",
		"text": "https://archive.orkl.eu/b8641fe5d12fe4a2a645d28ca94c79f7bad0e6a1.txt",
		"img": "https://archive.orkl.eu/b8641fe5d12fe4a2a645d28ca94c79f7bad0e6a1.jpg"
	}
}