Skip to content
/ stadeo Public

Control-flow-flattening and string deobfuscator

License

Notifications You must be signed in to change notification settings

eset/stadeo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Stadeo

Stadeo is a set of tools primarily developed to facilitate analysis of Stantinko, which is a botnet performing click fraud, ad injection, social network fraud, password stealing attacks and cryptomining.

The scripts, written entirely in Python, deal with Stantinko's unique control-flow-flattening (CFF) and string obfuscation techniques described in our March 2020 blogpost. Additionally, they can be utilized for other purposes: for example, we’ve already extended our approach to support deobfuscating the CFF featured in Emotet – a trojan that steals banking credentials and that downloads additional payloads such as ransomware.

Our deobfuscation methods use IDA, which is a standard tool in the industry, and Miasm – an open source framework providing us with various data-flow analyses, a symbolic execution engine, a dynamic symbolic execution engine and the means to reassemble modified functions.