• caglararli@hotmail.com
  • 05386281520

Ransomware debugging Imports Scylla

Çağlar Arlı      -    53 Views

Ransomware debugging Imports Scylla

I can imagine this is a difficult question for you to answer without seeing the actual sample, but perhaps some of you have experience with this. I'm analysing a sample from Darkside using IDA Free and x32dbg and I have resolved the dynamically loaded imports (so in IDA I have found where LoadLibrary and GetProcAddress are called and in the debugger I executed those functions and retrieved the function names and addresses). However, when I want to recreate the IAT with Scylla, the dynamically loaded API functions are displayed as such. Does anyone know why this is or what I'm doing wrong? I would expect the function names to be displayed in the newly created IAT.

enter image description here