Static code analysis of WastedLocker. Part 2: anti-analysis tricks

Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:

Code sections that are never called:

The malware has a local file killswitch: it will try to open “erpiyoujoi56yu456hyu456h8uy4j5689uy9h”, if it exists in the same path as the malware, it will exit.

Jumps to functions, no call:

Tries to get the value of the registry key COM interface for IEnumConnections, but apparently it’s not used.