Breaking Down A Variant of GlobeImposter Ransomware
GlobeImposter Analysis Sample: 28f7aeea9a0a1f79f792213f44475e9d5d9304cd0e61e3ecb2b9d38e0271a310 This GlobeImposter sample is unpacked, non-obfuscated. All the APIs are linked in load-times, so the IAT is reliable. If you are new to reverse C++, this is a great beginner tutorial . Starting point For this sample, I started the analysis by running the FindCrypt-Yara plugin. The corresponding result includes references to a Base64 table and a Prime_Constant used in RSA cipher. Tracing Base64 table references will lead you in the middle of id (public key) encryption routine at 0x40E880 which we will in-depth later. On the contrary, if your starting point is pivoting CreateProcessW or ShellExecuteExW , you will get to the main function at 0x40FFF0 Drop Files The GlobeImposter malicious behavior starts with calling the function at 0x410830 is to drop 2 files: ids.txt in the current process directory and HOW_TO_BACK_YOUR_FILES.exe in every directory that the ransomware