The goal of this paper is to provide a deep analysis of DearCry ransomware and demonstrate some techniques of malware analysis, and especially reverse engineering of malicious sample for educational purposes.
The DearCry ransomware has been used in current attacks related to the exploitation of Microsoft Exchange Servers. Unlike other ransomware, DearCry is special in terms of its complexity. It is very simple malware, and it could be reverse-engineered in a couple of minutes as we demonstrate in this paper. The main objective of this document is to provide not only the analysis of DearCry ransomware but also to provide educational tips and tricks, which could be useful in the cybersecurity community and students of computer science.
Static analysis is usually the initial stage of malware analysis. Commonly the samples are scanned with antivirus software and IOC scanners. This phase also includes the analysis of sample metadata, embedded strings, resources, imports and exports (in case of Portable executable files, .EXE), presence of macros, and auto-open or auto-close actions (in case of Office Documents).
In this paper, we analyze DearCry ransomware sample (often classified also as DoejoCrypt) obtained from Malware Bazaar. It is a portable executable file, and it is approximately 1.2 MB in size. This means that it is a relatively large malware sample.