2 minutes read

Relatively new sample of GandCrab ransomware, I got it from ANY.RUN

SHA256: 643F8043C0B0F89CEDBFC3177AB7CFE99A8E2C7FE16691F3D54FB18BC14B8F45

It’s light post about unpacking aforementioned malware.

GandCrab uses GlobalAlloc to allocate memory, uses 40120B and 4011EO functions to decrypt and/or decode a code, after changing protection to PAGE_EXECUTE_READWRITE via VirtualProtect , it jumps to previously allocated memory: call dword ptr ss:[ebp-68]

After jumping, it uses the first function to locate GetProcAddress and LoadLibrary , and the second function to build IAT and jump to unpacked sample:

Locate kernel32 :

Locate GetProcAddress and LoadLibrary :

Locate necessary functions:

Changes protection of 0x400000 (ImageBase) and removes everything from it:

Uses different function (0x264D62E at this run) to map new sections:

Locates IAT for recently mapped PE:

…and so on, at the end, it jumps to the code:

Which is at 0x4044A5 , this address was used by different code before unmap old code and map new one, x32dbg handles well:

but at IDA we get broken disassembly:

We can use Scylla to dump unpacked version of the ransomware

…Now it’s better:

Any feedback appreciated: @_qaz_qaz