This ransomware uses two decryption loops before getting the real code executed.
Both versions, v1.27 and v1.29, have the same entry point:
By tracing with F7, we get the first decryption loop:
After the decryption, code looks like this:
Marked in red, we can see the second decryption loop.
If we trace the code using F8/F7 we’ll find a DIV ECX instruction just after the Sleep call. This DIV instruction generates a “Integer Division by Zero” exception and the execution is paused by the debugger:
However, a custom SEH handler is installed just before the GetTickCount call (starting at 0x401283) that will continue the execution of the program right after the DIV instruction. As the exception is triggered on purpose, I assume this is mostly an anti-sandbox trick:
Once we pass the exception and trace the second decryption loop, we’ll observe the real ransomware code:
At this point, we can use OllyDump to dump the entire image and obtain an unpacked version of the ransomware to analyze. There is no need to fix imports and the new EP can be set to 0x40131C:
We can check that the binary was successfully unpacked by looking at the string references:
We can see, for example, the ransomware note and other interesting string to continue with the analysis.
Analyzed samples hashes (SHA-1):
- 589B78FCDE00583615E85C16B0A63D0806CF621C (v1.29)
- FEA42532538136B61AE490BD82E20163DCC2EF9A (v1.27)
Article Link: https://crackinglandia.wordpress.com/2017/06/17/unpacking-mawalre-series-nanolocker-ransomware/