Hash: ceeaf45fbb91df67d5b9f1ca1905301ce63314152fb50ed7c6c31365d06ec86d

String encryption

Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings…

Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:

Today we’re reverse-engineering a sample of the WastedLocker malware, apparently used in the recent Garmin attack (July 2020). This malware is custom built, so there are many possible variants of the one analyzed here, but this is more about reverse engineering and learning the tricks than getting generic detection rules…

Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.

MD5: 6a8e751dda2523f26223f2ae2bd55487
SHA-1: f6c1afc9ebe1ccba5bbaa8da4d1186b8c41b8f60
SHA-256: 36ef054942195766acc955222f3f4396f47bdc76fc18f24c08f586717ed461d6
  • DotNet based RAT, probably written in Visual Basic. Targets .net framework 2.0
  • Out of…



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store