Static code analysis of WastedLocker. Part 2: anti-analysis tricks
Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.
Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
It does several things to divert attention. It will call empty funcions that do nothing:
It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:
Code sections that are never called:
The malware has a local file killswitch: it will try to open “erpiyoujoi56yu456hyu456h8uy4j5689uy9h”, if it exists in the same path as the malware, it will exit.
Jumps to functions, no call:
Tries to get the value of the registry key COM interface for IEnumConnections, but apparently it’s not used.