cd ../../Reversing Malware

Unpacking GandCrab Ransomware

1 minute read

Relatively new sample of GandCrab ransomware, I got it from ANY.RUN

0

SHA256: 643F8043C0B0F89CEDBFC3177AB7CFE99A8E2C7FE16691F3D54FB18BC14B8F45

It’s light post about unpacking aforementioned malware.

GandCrab uses GlobalAlloc to allocate memory, uses 40120B and 4011EO functions to decrypt and/or decode a code, after changing protection to PAGE_EXECUTE_READWRITE via VirtualProtect, it jumps to previously allocated memory: call dword ptr ss:[ebp-68]

1

After jumping, it uses the first function to locate GetProcAddress and LoadLibrary, and the second function to build IAT and jump to unpacked sample:

2

Locate kernel32:

3

Locate GetProcAddress and LoadLibrary:

4

5

Locate necessary functions:

7

Changes protection of 0x400000 (ImageBase) and removes everything from it:

8

Uses different function (0x264D62E at this run) to map new sections:

9

Locates IAT for recently mapped PE:

10

…and so on, at the end, it jumps to the code:

6_jmp_eax

Which is at 0x4044A5, this address was used by different code before unmap old code and map new one, x32dbg handles well:

11

but at IDA we get broken disassembly:

12

14

We can use Scylla to dump unpacked version of the ransomware

15

…Now it’s better:

16

Any feedback appreciated: @_qaz_qaz