tag:blogger.com,1999:blog-2458884747651950115.post4519792650021537163..comments2023-01-11T00:13:38.930-08:00Comments on malware clipboard: NanoLocker - Ransomware analysisAdam (@cyberclues)http://www.blogger.com/profile/17340845780161175453noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-2458884747651950115.post-36669723418335112862016-01-26T15:29:55.119-08:002016-01-26T15:29:55.119-08:00Look in the TLS code @ 0x004011CB the address 0x00...Look in the TLS code @ 0x004011CB the address 0x0040409F is used; this is a location of importance to the second level decode routine. Your code is fine above; the prog is using a stored value (obtained in the TLS code) to basically make GS point to where FS points, in order to install a custom SEH (the 0x0040409f proc). <br /><br />At 0x00401298 you will see MOV DWORD PTR DS:[EDX], EAX which is the actual spot where the exception handler is assigned. Do a CTRL-G, and go to 0x0040409F and set a BP. Then return to 0x004012CA and set a BP there as well. Run the code, and if you handled the TLS correctly, you will see a DIV ECX when ECX==0, which will trigger the sub at 0x0040409F. I won't ruin the surprise from there :)<br />Adam (@cyberclues)https://www.blogger.com/profile/17340845780161175453noreply@blogger.comtag:blogger.com,1999:blog-2458884747651950115.post-75221580585690098382016-01-26T12:55:50.196-08:002016-01-26T12:55:50.196-08:00Thank you for putting this together, will be readi...Thank you for putting this together, will be reading more of your posts for sure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2458884747651950115.post-67322862916444975982016-01-26T07:52:40.118-08:002016-01-26T07:52:40.118-08:00Excellent work! Thank you so much for your work.Excellent work! Thank you so much for your work.peterhttps://www.blogger.com/profile/08942529259605567160noreply@blogger.comtag:blogger.com,1999:blog-2458884747651950115.post-52555210169161696712016-01-26T07:15:35.572-08:002016-01-26T07:15:35.572-08:00I am getting stuck in the following code after exe...I am getting stuck in the following code after executing the tls code and self decoded.<br />00401286 66:8EE8 MOV GS,AX <br />00401289 65:A1 00000000 MOV EAX,DWORD PTR GS:[0]<br /><br />Looks like I have missed some decryption. How did you unpack this. MD5 : c1cf7ce9cfa337b22ccc4061383a70f6 Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2458884747651950115.post-56829741133558003782016-01-26T05:58:55.608-08:002016-01-26T05:58:55.608-08:00Nice write-up. This is one of the more modest ran...Nice write-up. This is one of the more modest ransomwares I've seen. At 0.25 Bitcoin, they're pitching themselves at the budget end of the market.Anonymousnoreply@blogger.com