A custom lightweight emulation environment in Lua to dynamically analyze Lua obfuscated Windows scripts on Linux. Uses the FFI library to intercept API calls and emulate PEB and PE Export Directories.
firejail --net=none --private=$(pwd) luajit winstub.lua 2>&1 | tee analysis.log Make sure you have firejail and luajit installed.
Malware tested on with successfull results:
- https://bazaar.abuse.ch/sample/f6d59ebd26898cd89bfae86d02f2fb71aeadf255f75d144b59f19dcefc8f82a5/
- https://bazaar.abuse.ch/sample/cb69e400baa013e05f71a998279bab86a8b21415d4763b0468fc77777e0df87b/
Lua-based malware. All of the same malware family https://github.com/spontopt/StyxLoaderX-EDR-Evasion https://github.com/Architect2040/metalQwen3 https://github.com/JorgeChocolate/Global-LVBA https://github.com/Rey442/ESP32-Evil-Twin-Captive-Portal https://github.com/udinpedia/Vector https://github.com/Choch00923/Syscaller https://github.com/binetsimonscaletourtiere90/AES67_macos_Driver https://github.com/Icy-Senpal/bypass-all https://github.com/myself-prog/BypassingAVs https://github.com/Mbeeee111/tokenizer.cpp https://github.com/AxeRBLX/mid360_driver https://github.com/sidd0227/hint-break https://github.com/actiniy/FiveM-Spoofer https://github.com/Fourty4Four/XStoreUnlocker https://github.com/hydery-debug/Telegram-Gift-Parser