Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings…
Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.
It does several things to divert attention. It will call empty funcions that do nothing:
It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:
Today we’re reverse-engineering a sample of the WastedLocker malware, apparently used in the recent Garmin attack (July 2020). This malware is custom built, so there are many possible variants of the one analyzed here, but this is more about reverse engineering and learning the tricks than getting generic detection rules…
Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.