HP-34C keyboard img

CTB-Locker Payload obfuscation layers analysis

CTB-Locker payload obfuscation layers analysis

After studying the CTB-Locker dropper, I wanted to look at the downloaded payload, but by lack of time I can't finished it. By the way, another guys did it very well (see the CIRCL TR-33 Analysis - CTB-Locker / Critroni or the Zairon's CTB-Locker files decryption demonstration feature ). So it would be a waste of time to complete my own analysis.

However, I noticed that all studies focused on CTB-Locker operations or user's files decryption which are obvsiously the main concerns, but no one studied in details the different techniques of obfuscation implemented by CTB-Locker. My early analysis revealed the implementation of numerous techniques of obfuscation, the most complex being different from those used by the dropper and with two more layers. The article below focused on these subjects.