Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings are Unicode 16bits (WSTR). It will use different keys to decode different parts .
The program is careful to clear the strings it decodes right after they are used, probably to prevent them being revealed in a memory dump during execution in a sandbox.
Processes whose executable matches any of…
Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.
It does several things to divert attention. It will call empty funcions that do nothing:
It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:
Today we’re reverse-engineering a sample of the WastedLocker malware, apparently used in the recent Garmin attack (July 2020). This malware is custom built, so there are many possible variants of the one analyzed here, but this is more about reverse engineering and learning the tricks than getting generic detection rules. This sample is the one referenced by BleepingComputer:
A first look at the section looks like this is a packed exe, small code, big rdata:
In the entrypoint function, the sample will play some cat and mouse tricks, presenting unreacheable code and functions that…
Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.
This is a .Net…