Today we’re reverse-engineering a sample of the WastedLocker malware, apparently used in the recent Garmin attack (July 2020). This malware is custom built, so there are many possible variants of the one analyzed here, but this is more about reverse engineering and learning the tricks than getting generic detection rules. This sample is the one referenced by BleepingComputer:
A first look at the section looks like this is a packed exe, small code, big rdata:
In the entrypoint function, the sample will play some cat and mouse tricks, presenting unreacheable code and functions that call the Windows API but don’t really do anything meaningful. At the end of the start function, however, the unpacking occurs:
It allocates a buffer to receive the unpacked code, then, those two functions at the end will unpack a piece of the executable. Once unpacked, some more setup is done and control transferred to the new entry point by pushing the address to the stack and retn, effectively transferring control to the unpacked code.