blog@XeroExecute.github.io ~ $

Automated String Decryption for Mirai Malware Analysis

Ghidra script that automatically identifies and decrypts obfuscated strings in Mirai botnet samples. Supports Shift XOR, RC4, and Bruteforce XOR across multiple processor architectures.

tags
#Tools #Malware-Analysis #Reverse-Engineering #Ghidra #Mirai
published
reading time
3 minutes

A Ghidra script that automates the tedious process of identifying and decrypting obfuscated strings in Mirai malware samples. Built to work across multiple processor architectures.

Why Use This?

Mirai malware variants obfuscate their strings using various encryption methods to evade static analysis. Manually identifying and decrypting these strings is time-consuming and error-prone. This script automates the entire process, allowing you to focus on analyzing the malware’s behavior rather than fighting with encryption routines.

Supported Decryption Methods

The script automatically detects and handles three encryption types commonly found in Mirai samples:

  • Shift XOR - Xor string obfuscation used in some Mirai variants
  • RC4 - Xor string encryption for Mirai strings
  • Bruteforce XOR - Specialized method for decrypting embedded credentials

The script attempts to automatically load and decrypt strings where possible, though some edge cases may require manual intervention or script customization.

Features

  • Fully Automated: Identifies decryption routines and processes strings without manual configuration
  • Multi-Architecture Support: Works across ARM, MIPS, x86, and other architectures commonly targeted by Mirai
  • Three Decryption Algorithms: Handles Shift XOR, RC4, and Bruteforce XOR encryption schemes
  • Ghidra Integration: Seamlessly integrates into your existing Ghidra workflow via Script Manager
  • Headless Mode: Batch process multiple samples via command line for automated analysis pipelines

Quick Start

Clone the repository:

git clone https://github.com/xeroexecute/ghidra-mirai-decryption.git

Ghidra GUI: Script Manager → Manage Script Directories → Add repo folder → Refresh → Run from Analysis/Mirai

Headless Mode: Perfect for automating analysis of multiple samples in a Ghidra project

Detailed Usage

Ghidra UI

  1. Open Ghidra and navigate to the Script Manager
  2. Add the directory of the downloaded Git repository to the Script directories:
    • Click the Manage Script Directories button
    • Add the directory of the cloned repository
  3. Refresh the script list:
    • Click the Refresh Script List button
  4. The script should now be visible under Analysis/Mirai/ and can be executed for the currently open binary

Ghidra Headless

For batch processing multiple samples or integrating into automated analysis pipelines:

analyzeHeadless $(pwd)/<ghidra-project> <ghidra-mirai-project> \
  -scriptPath $(pwd) \
  -postScript miraiDecryptionRoutines.java "verbose" \
  -process \
  -scriptlog mirai.log

The verbose parameter enables detailed logging of all detected decryption routines and decrypted strings. Results are saved to mirai.log for further analysis.

Use Cases

  • Malware Analysis: Quickly extract C2 server addresses, credentials, and other IOCs from Mirai samples
  • Threat Hunting: Batch process suspected Mirai binaries collected from honeypots
  • Research: Analyze evolution of string obfuscation techniques across Mirai variants

Contributing

The script works well for common Mirai variants, but edge cases exist where string loading may fail. Contributions to improve string extraction logic or add support for additional decryption methods are welcome.

GitHub Repository: xeroexecute/ghidra-mirai-decryption

For questions or suggestions, contact @Sir_X