Old Flame Never Dies (a.k.a. decompiling LUA)

September 26, 2016 in Batch Analysis, File Formats ZOO, Malware Analysis, Reversing

When the news about Flame exploded all over the media, I remember grabbing available samples and like many other researchers started poking around. Pretty quickly, I extracted a large number of very unique strings from various Flame samples and posted them online.

Recently, I accidentally came across that old post and started wondering if anyone ever posted the decompiled Lua scripts for the malware. I googled around for some of the strings I posted on my blog back then and to my surprise – my blog was the only one showing up!

I guess there must be some conspiracy theory that will explain that…

Back in 2012, I didn’t have all the samples, but I did run them through a quick analysis process which I will describe below. The procedure for obtaining the strings was extremely crude, but like many quick&dirty solutions – it worked pretty well (and it was fast!).

  • For each DLL, load it via rundll32
    • For each exported function, execute it
      • For ever every single execution, delay for some time
      • Grab memory dumps for rundll32
      • Kill rundll32

Interestingly, I still have the memory dumps I used to extract the strings from, so… since I suddenly thought of these Lua scripts I re-used the memdumps to extract over 60 Lua bytecoded scripts (from both static files and memory dumps to be precise).

And here comes the real purpose of the thread – document how to obtain decompiled Lua scripts from Flame:

  • I wrote a quick carving tool in perl to extract Lua bytecode from both static files, and memory dumps
    • This was pretty easy, since the compiled Lua always starts with a header “\x1BLua”
    • For each extracted file, I wrote another quick&dirty script to rename it to the name embedded inside the bytecoded Lua script
    • That’s how we get the ‘original’ name of the files f.ex. ‘MUNCH_ATTACKED_ACTION.lua’ is embedded inside the bytecoded Lua script


  • With all the files preprocessed, I ran them through a Lua decompiler
    • For many files, it worked like a charm; for some, it failed

If you remember Kaspersky’s Flame code from 2012:


you can find the code inside the flame_props.lua.dec file (you need to remove decompiler’s comments):


The collection of all decompiled scripts can be found here.

The password is: old_flame_never_dies

List of all scripts:

  • ___kaspersky.dec
  • attackop_base_prods.lua.dec
  • attackop_base_sendfile.lua.dec
  • ATTACKOP_FLAME.lua.dec
  • ATTACKOP_FLASK.lua.dec
  • ATTACKOP_JIMMY.lua.dec
  • basic_info_app.lua.dec
  • casafety.lua.dec
  • clan_entities.lua.dec
  • clan_seclog.lua.dec
  • CRUISE_CRED.lua.dec
  • euphoria_app.lua.dec
  • event_writer.lua.dec
  • fio.lua.dec
  • flame_props.lua.dec
  • get_cmd_app.lua.dec
  • json.lua.dec
  • leak_app.lua.dec
  • libclanattack.lua.dec
  • libclandb.lua.dec
  • libcommon.lua.dec
  • libdb.lua.dec
  • libflamebackdoor.lua.dec
  • liblog.lua.dec
  • libmmio.lua.dec
  • libmmstr.lua.dec
  • libnetutils.lua.dec
  • libplugins.lua.dec
  • libwmi.lua.dec
  • main_app.lua.dec
  • payload_logger.lua.dec
  • post_cmd_app.lua.dec
  • REG_SAFETY.lua.dec
  • RESCH_EXEC.lua.dec
  • rts_common.lua.dec
  • SECLOG_HANDLER.lua.dec
  • SECLOG_SPOTTER.lua.dec
  • STD.lua.dec
  • storage_manager.lua.dec
  • SUCCESS_FLAME.lua.dec
  • table_ext.lua.dec
  • transport_nu_base.lua.dec
  • USERPASS_CRED.lua.dec
  • WMI_EXEC.lua.dec
  • WMI_SAFETY.lua.dec

Comments are closed.