Ransom/Satana

Forum for analysis and discussion about malware.
Post Reply
heart888
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm

Ransom/Satana

Post by heart888 » Fri Jul 01, 2016 1:52 am

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Ransom/Satana

Post by xors » Sat Jul 02, 2016 11:24 am

Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
You do not have the required permissions to view the files attached to this post.
@xorsthings

User avatar
xors
Posts: 138
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Sat Jul 02, 2016 11:59 am

https://malwr.com/analysis/Njk0OWRkMTRh ... JlYzI5MWE/

The email that is in your zip file has been used by satana ransomware
You do not have the required permissions to view the files attached to this post.
@xorsthings

heart888
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm

Re: Ransom/Satana

Post by heart888 » Wed Jul 06, 2016 4:38 am

xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA

ea56f45e66e2c
Posts: 2
Joined: Fri Apr 15, 2016 11:56 am
Location: France
Contact:

Re: Ransom/Satana

Post by ea56f45e66e2c » Thu Jul 07, 2016 11:58 am

heart888 wrote:
xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA
There are some common anti-debug tricks, try using ScyllaHide or equivalent. Also you can refer to this : http://adelmas.com/blog/satana.php
Hope this helps

Post Reply