{
	"id": "9ed379d0-b3fe-49df-af7b-d864f75e57a5",
	"created_at": "2026-04-06T00:12:20.740694Z",
	"updated_at": "2026-04-10T03:20:16.203753Z",
	"deleted_at": null,
	"sha1_hash": "c4741fad06dcd78cc12719edd41df8e65a82ee70",
	"title": "Robbinhood Malware Analysis with Radare2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 508713,
	"plain_text": "Robbinhood Malware Analysis with Radare2\r\nBy Jacob Pimental\r\nPublished: 2019-07-01 · Archived: 2026-04-05 15:25:07 UTC\r\n01 July 2019\r\nBy Jacob Pimental\r\nThis article will provide an overview of how we can extract function names from Windows GoLang binaries to\r\nmake reversing easier and to give a brief analysis on the Robbinhood Ransomware that attacked Baltimore\r\nrecently. GoLang is a programming language designed around multi-threaded applications. The difficulty in\r\nreversing GoLang binaries is that all libraries are statically linked which means there will be a large number of\r\nfunctions in the application, most of which are not even used during execution. For example, in a normal Hello\r\nWorld compiled GoLang binary, radare2 detects 1800 functions.\r\nThe gopclntab section in a GoLang program contains a table of function locations along with their names.\r\nRadare2 is able to parse out this table and label every function accordingly, however this only works on binaries\r\ncompiled for Linux. When it comes to Windows, Radare2 is not able to find the gopclntab and we are left with\r\nthousands of unlabeled functions with no clue as to what they do. I decided to learn how the gopclntab works and\r\ncreate a parser using r2pipe to label all functions.\r\nGopclntab\r\nhttps://goggleheadedhacker.com/blog/post/12\r\nPage 1 of 4\n\nThe gopclntab section always seems to start with the bytes 0xfbffffff, and after that contains the size of the table.\r\nThe next 8 bytes contains the location of the first function, then the offset of that function from the start of the\r\ntable. If you go to that offset from the start of the table you’ll get the offset for the name of the function.\r\nUsing this table we can get all of the function information for the binary. I created a small python script that uses\r\nr2pipe to parse this table and rename/create the necessary functions. You can get the script on my gitHub. There is\r\nalso a really in-depth article you can read about the gopclntab here.\r\nRobbinhood\r\nIn May, Baltimore was hit by a ransomware known as Robbinhood, that took out multiple services. The\r\nransomware itself was written in GoLang, so I thought this would be a good opportunity to become familiar with\r\nGoLang reversing and analyze the sample.\r\nWhen reversing a GoLang binary, the main function will be located at main.main. Seeking to that function in\r\nradare2, we can see the binary trying to open the file “C:\\Windows\\Temp\\pub.key”. Strings in a GoLang binary\r\nare not null-terminated like most C-type programming languages. Instead, they have a variable that contains the\r\nlength of the string.\r\nIf the file “pub.key” does not exist, the program throws an error and exits. If it does exist, the program will get a\r\nlist of drives that the computer has access to and run the function main.CoolMaker. The CoolMaker function\r\nspawns multiple processes of “cmd.exe” to run the service control manager in order to to shut down any endpoint\r\nagents or antivirus on the infected host.\r\nAfter the CoolMaker function has been called, Robbinhood will spawn 4 processes of the function\r\nmain.main.func1, which appears to be where the actual encryption occurs. The function calls another function,\r\nhttps://goggleheadedhacker.com/blog/post/12\r\nPage 2 of 4\n\nmain.doit, which creates an encryption key based on the “pub.key” file found at the start of execution. These\r\nprocesses will then recursively walk through the file system and encrypt any files it finds.\r\nThe program also logs the encrypted files names to four different log files, rf_l, rf_s, ro_l, ro_s. Both of the rf_*\r\nfiles log the names of the files the program deems “interesting”. The ro_* logs contain all other filenames. Both\r\nsets of logs are separated into large file sizes (rf_l, ro_l), and small file sizes (rf_s, ro_s). These logs are deleted as\r\nsoon as execution is completed.\r\nThe dropped ransom note is contained in the binary as a base64 encoded string. The different aspects of the note,\r\nsuch as payment amount and user id are defined by different variables in the note to make them easily\r\ninterchangeable depending on who the victim is. For example, the wallet id is defined in the ransom note as\r\n“#WALLAD#” and is replaced by the string “14yos7dpe4bx3imnoGVUcMsNBwU1hLutfj”. I did check to see if\r\nany payments had been made to the bitcoin wallet address and it looks like Jack Young was true to his word and\r\nthe city didn’t pay the ransom at all.\r\nhttps://goggleheadedhacker.com/blog/post/12\r\nPage 3 of 4\n\nOverall, this was not a very advanced Ransomware. It is very loud due to the fact that it is shutting down multiple\r\nEndpoint agents and AV. It also did not have the ability to spread at all. Every infected computer had to be targeted\r\nindividually for it to cause real damage.\r\nHowever, this was a fun sample to analyze and taught me a lot about GoLang reversing. As always, if you have\r\nany questions or comments on this, or any of my other articles, feel free to reach out to me on my Twitter and\r\nLinkedin.\r\nThanks for reading and happy reversing!\r\nTutorial, Radare2, Malware Analysis, Malware, Linux, Windows, Scripting, Automation, r2pipe, GoLang\r\nMore Content Like This:\r\nSource: https://goggleheadedhacker.com/blog/post/12\r\nhttps://goggleheadedhacker.com/blog/post/12\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://goggleheadedhacker.com/blog/post/12"
	],
	"report_names": [
		"12"
	],
	"threat_actors": [],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4741fad06dcd78cc12719edd41df8e65a82ee70.pdf",
		"text": "https://archive.orkl.eu/c4741fad06dcd78cc12719edd41df8e65a82ee70.txt",
		"img": "https://archive.orkl.eu/c4741fad06dcd78cc12719edd41df8e65a82ee70.jpg"
	}
}