Posts

Showing posts from January, 2020

Breaking Down A Variant of GlobeImposter Ransomware

Image
GlobeImposter Analysis Sample:  28f7aeea9a0a1f79f792213f44475e9d5d9304cd0e61e3ecb2b9d38e0271a310 This GlobeImposter sample is unpacked, non-obfuscated. All the APIs are linked in load-times, so the IAT is reliable. If you are new to reverse C++, this is a great beginner tutorial . Starting point For this sample, I started the analysis by running the  FindCrypt-Yara plugin. The corresponding result includes references to a Base64 table and a Prime_Constant used in RSA cipher. Tracing Base64 table references will lead you in the middle of id (public key) encryption routine at  0x40E880 which we will in-depth later. On the contrary, if your starting point is pivoting  CreateProcessW or ShellExecuteExW , you will get to the main function at 0x40FFF0 Drop Files The GlobeImposter malicious behavior starts with calling the function at 0x410830 is to drop  2 files:   ids.txt  in the current process directory and HOW_TO_BACK_YOUR_FILES...