Unpacking Malware Series: ATLAS Ransomware

This time, we are going to see how to unpack ATLAS ransomware.

The first thing it does, as many other malware, is to allocate memory regions to hold the decryption routines for the real ransomware core.

Then, there is a loop where it changes the permissions of every memory page, included the PE header section, of the current process:

This is the mentioned loop where it changes the memory protections of every PE section:

Then, it erases part of the PE data (included PE Header):

We can see that it starts at the PE header section address and it’s going to erase 0x32000 bytes from the PE:

Here’s the .text section being erased:

And here’s the end of the erased data:

After erasing the PE data, it searches for a hashed function name value but in this case it seems it doesn’t find it, however, it continues:

Then, it starts a loop to copy data to the previously erased sections from a fully decrypted PE:

We can see that the second parameter (source address) points to the decrypted PE:

At this point, we can use PE Tools or VSD to dump the entire PE from memory and continue with the analysis of the ransomware.

The following are the strings from the decrypted PE:

Analyzed hashes:

  • A152796DCB795EC7DF155F147A29A6B53CD9355F



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s