A forum for reverse engineering, OS internals and malware analysis 

Ransom/Satana

Forum for analysis and discussion about malware.

Re: Ransom/Satana

 #28802  by xors
 Sat Jul 02, 2016 11:24 am
Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
Attachments
password:infected
(21.89 KiB) Downloaded 86 times

Re: Ransom/Satana

 #28818  by heart888
 Wed Jul 06, 2016 4:38 am
xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA

Re: Ransom/Satana

 #28827  by ea56f45e66e2c
 Thu Jul 07, 2016 11:58 am
heart888 wrote:
xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA
There are some common anti-debug tricks, try using ScyllaHide or equivalent. Also you can refer to this : http://adelmas.com/blog/satana.php
Hope this helps
 Return to “Malware”