Hash: ceeaf45fbb91df67d5b9f1ca1905301ce63314152fb50ed7c6c31365d06ec86d

String encryption

Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings are Unicode 16bits (WSTR). It will use different keys to decode different parts .

The program is careful to clear the strings it decodes right after they are used, probably to prevent them being revealed in a memory dump during execution in a sandbox.

Stops target services and processes

Processes whose executable matches any of…


Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:


Today we’re reverse-engineering a sample of the WastedLocker malware, apparently used in the recent Garmin attack (July 2020). This malware is custom built, so there are many possible variants of the one analyzed here, but this is more about reverse engineering and learning the tricks than getting generic detection rules. This sample is the one referenced by BleepingComputer:

MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

A first look at the section looks like this is a packed exe, small code, big rdata:

In the entrypoint function, the sample will play some cat and mouse tricks, presenting unreacheable code and functions that…


Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.

MD5: 6a8e751dda2523f26223f2ae2bd55487
SHA-1: f6c1afc9ebe1ccba5bbaa8da4d1186b8c41b8f60
SHA-256: 36ef054942195766acc955222f3f4396f47bdc76fc18f24c08f586717ed461d6
  • DotNet based RAT, probably written in Visual Basic. Targets .net framework 2.0
  • Out of the box runs a keylooger.
  • Receives further code from C&C server to perform further actions.
  • Will copy itself to a TEMP directory and will persist through the registry \CurrentVersion\Run and Startup folder.
  • This particular sample connects to C2 at 80.236.91.167:5552
  • No anti-debug, no anti-sandbox, but obfuscated.

Static code analysis

This is a .Net…

Shimasakisan

@shimasakisan_

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store