Unpacking Malware Series: Dharma Ransomware

I found two samples of Dharma ransomware that were packed with the same custom packer so I decided to take a look in order to unpack the core malware.

In this case, it was very easy to obtain the real malware. As many other malware families, it creates a process and then it overwrites its content with the real code, so, the first thing to do is to put a breakpoint on CreateProcessA. I usually have a breakpoint in some of the CreateProcess* family functions as CreateProcessA/W or CreateProcessInternalA/W just to not miss anything.

Once we return from the CreateProcessA call, we land here:

After this, the packer executes some known calls to get the PEB of the previously launched process and erase its PE header by calling ​ZwUnmapViewOfSection:

Here’s a screenshot of the parameters pushed onto the stack:

On the top of the stack is the process handle (0x44) followed by the base address to unmap (0x400000).

Then, it calls ​VirtualAllocEx to map some memory on the launched process:

If we look at the parameters, we see that it’s going to allocate some memory at the previously unmapped region:

Decomposing the stack, we have:

0012FD9C   00000044 --> Process handle
0012FDA0   00400000 --> Desired address to allocate
0012FDA4   00025000 --> Size for the region to allocate
0012FDA8   00003000 --> MEM_COMMIT | MEM_RESERVE
0012FDAC   00000040 --> PAGE_EXECUTE_READWRITE

Then, we get the important part:

As you can see, the process is about to call ​WriteProcessMemory with the following parameters:

0012FD9C   00000044 --> Process handle
0012FDA0   00400000 --> Address to write to
0012FDA4   00197598 --> Buffer with the data to write
0012FDA8   00000400 --> Number of bytes to write
0012FDAC   00000000 --> lpNumberOfBytesWritten

If we look at the buffer that contains the data to be written to the process, we can see this:

We find a full PE file there Its size? I just scrolled down till I found some unmapped heap memory (0x0DF0ADBA) and established that as the size (0x25BB0), for the new PE image:

I know, I can be dumping more than the necessary but it works anyway. If you are fussy, just calculate the right size by parsing the new section header.

Then, I used PE Tools to dump it and voilá, a ready to reverse engineering PE

File hashes:

  • 0ad2e27747186633f5187f85916fdda45aa0a1f4
  • 3e806f960e8b048342fce7d10d0f6db47f4e40c1

Article Link: https://crackinglandia.wordpress.com/2017/06/26/unpacking-malware-series-dharma-ransomware/