Junkfuscation: Pikabot edition
A coffee-long look into the core module of a post-february 2024 Pikabot sample.
Sample: ffa6a6b56c154ed6ae3de4b31ee05bd5c1e8161954fe79ffc9f6dc8408d24659
Pikabot’s core module uses a lot of junk globals and opaque loops. The decompiler output shows complex-looking operations on random DWORDs intertwined with real logic. It is a deliberate strategy designed to make every function look unique and expensive to analyze.
Three patterns repeat across the whole binary.
Junk globals. DWORDs get reassigned via constant math chains. These writes sit between real operations but never used for anything important.
Opaque predicates. Loops walk static strings and check if characters are digits using (*ptr - 48) <= 9. Since the strings are fixed at build time, the branch outcome is constant. The compiler still emits the full control flow which hides the real execution path.
Junk helper calls. Small routines encapsulate these same patterns. They take random string pointers and IDs. Return values are usually ignored or folded into more junk math.
Standalone Junk Function Examples
The standalone junk functions are the easiest to spot. Their entire bodies are noise with no impact on the malware’s functionality.
The decompiler shows a checksum walk over a2 followed by digit scans. Callers don’t even use the return value.
unsigned __int16 *__cdecl pika_junk_digit_checks(int a1, char *a2, unsigned __int16 *i)
{
unsigned int n5271 = 5271;
unsigned __int16 *i_1 = i;
do {
int v6 = *a2++;
if (!v6) break;
n5271 += v6;
} while (n5271 <= 0x1D60);
for (unsigned __int16 *j = i; (*j - 48) <= 9u; ++j)
;
// pattern repeats
return i_1;
}
This routine walks the string "Component Categories", then returns a value that looks like variable arithmetic.
unsigned int pika_junk()
{
char *Component_Categories = "Component Categories";
for (unsigned int i = 1656; i <= 9809; i += v2) {
v2 = *Component_Categories++;
if (!v2) break;
}
for (char *j = aHostUnreachabl_1; (*j - 48) <= 9u; ++j)
;
result = 146616292 * (((-1887986594 * n143012896 - 606464809) | 0xE83BCB3D) - 1845301155);
n143012896 = 143012896;
return result;
}
Junk Inside Main Logic
The real difficulty lies in long routines where three or four lines matter and the rest is filler.
Config Parsing
The algorithm copies the embedded blob, reads the rotation count, rotate, and parses fields. The meaningful spine is simple.
| Address | Action |
|---|---|
| 0x405955 | Zero out buffer |
| 0x4059F5 | Copy config blob to stream |
| 0x405A8B | Read rotation count |
| 0x405AD0 | Rotate |
| 0x405B03 | Copy payload to final buffer |
Junk calls bracket every single step. Fake error handlers also appear as opaque predicates. Inside a loop at 0x405C0F, if a fake bound trips, the code calls checksum and xor helpers on unrelated strings. This path is never taken during normal execution.
The Rotator Loop
The rotator implements a circular shift and checks for a debugger. Inside the inner loop, every iteration calls pika_junk_1.
for (i = 0; i < *(buf + 348); ++i) {
if (pika_check_debugger() == 9472) { pika_exit(); }
dword_4109B8 = (dword_4109B8 | 0x1190386B) + 1270050443;
for (j = payload_size - 1; j; ...) {
*(payload + j + 1) = *(payload + j);
pika_junk_1(L"yo-NG", dword_4109B8, "wilActivity", "bad address");
}
}
If a loop walks a static string and branches on digit class, the exit condition is fixed. You can prove this statically without running the malware.
Once you have looked at a couple of these functions, they all start looking the same. You can quickly identify the patterns and ignore them entirely during your analysis.
Stay tuned for more malware-related tips and tricks!