I found two samples of Dharma ransomware that were packed with the same custom packer so I decided to take a look in order to unpack the core malware.
In this case, it was very easy to obtain the real malware. As many other malware families, it creates a process and then it overwrites its content with the real code, so, the first thing to do is to put a breakpoint on CreateProcessA. I usually have a breakpoint in some of the CreateProcess* family functions as CreateProcessA/W or CreateProcessInternalA/W just to not miss anything.
Once we return from the CreateProcessA call, we land here:
After this, the packer executes some known calls to get the PEB of the previously launched process and erase its PE header by calling ZwUnmapViewOfSection:
Here’s a screenshot of the parameters pushed onto the stack:
On the top of the stack is the process handle (0x44) followed by the base address to unmap (0x400000).
Then, it calls VirtualAllocEx to map some memory on the launched process:
If we look at the parameters, we see that it’s going to allocate some memory at the previously unmapped region:
Decomposing the stack, we have:
0012FD9C 00000044 --> Process handle 0012FDA0 00400000 --> Desired address to allocate 0012FDA4 00025000 --> Size for the region to allocate 0012FDA8 00003000 --> MEM_COMMIT | MEM_RESERVE 0012FDAC 00000040 --> PAGE_EXECUTE_READWRITE
Then, we get the important part:
As you can see, the process is about to call WriteProcessMemory with the following parameters:
0012FD9C 00000044 --> Process handle 0012FDA0 00400000 --> Address to write to 0012FDA4 00197598 --> Buffer with the data to write 0012FDA8 00000400 --> Number of bytes to write 0012FDAC 00000000 --> lpNumberOfBytesWritten
If we look at the buffer that contains the data to be written to the process, we can see this:
We find a full PE file there Its size? I just scrolled down till I found some unmapped heap memory (0x0DF0ADBA) and established that as the size (0x25BB0), for the new PE image:
I know, I can be dumping more than the necessary but it works anyway. If you are fussy, just calculate the right size by parsing the new section header.
Then, I used PE Tools to dump it and voilá, a ready to reverse engineering PE
File hashes:
- 0ad2e27747186633f5187f85916fdda45aa0a1f4
- 3e806f960e8b048342fce7d10d0f6db47f4e40c1

Article Link: https://crackinglandia.wordpress.com/2017/06/26/unpacking-malware-series-dharma-ransomware/