H1N1 String De-obfuscation Script

Visibility: Open to anyone

Cisco's Research & Efficacy Team has developed an IDAPython script for de-obfuscating strings at given addresses within IDA Pro for the H1N1 loader malware.


Technical Analysis and Evolution of the H1N1 Loader


H1N1 is a loader malware variant dating back to June 2015 that has been known to deliver Pony DLLs and Vawtrak executables to infected machines. Upon infection, H1N1 previously only provided loading, encrypted system information reporting capabilities, and AV program neutralization. It would perform these actions from an elevated context by making use of a UAC bypass and attempting to exploit CVE-2014-4113.


The H1N1 authors have added a number of new capabilities in comparison to earlier reports. Throughout this blog series we will be discussing the obfuscation, a UAC bypass, information stealing, data exfiltration, loader/dropper and self-propagation/lateral movement techniques used by this variant.


About the Advanced Threat Research and Efficacy Team


This elite group of security malware specialists and reverse engineers are tasked with the challenge of ensuring that the Cisco security solutions can detect, and defeat advanced malware and APTs.  To achieve this goal, this team studies the techniques and tools used by malware developers.  The output of this work is shown in a variety of ways, ranging from enhancing the detection capabilities of the Cisco security portfolio, to advanced malware research reports, to tools that help the incident response and security operations personnel understand the inner workings of today’s, and tomorrow’s, advanced malware threats.