Unpacking of Egregor Ransomware – Malware Analysis

Executive Summary

In this case study, we describe malware analysis and unpacking of a newly emerged ransomware Egregor. It is an extremely targeted ransomware that tries to extort big companies. The sample that we analyzed was obtained by our colleagues during an incident response at our client’s organization.

Unpacking of Egregor Ransomware - Malware Analysis

During the analysis, we reverse engineered and debugged the sample. Thus, we managed to overcome two loaders and fully unpack the payload. The initial sample consisted of one DLL (named clang.dll) which executed itself in three stages. The DLL loaded a second DLL, which loaded a third DLL containing the actual payload.

One of our key findings is that the execution of the initial malicious DLL had to be invoked with a specific parameter, otherwise the payload was not unpacked. To clarify, this secret parameter started with –p and it served as a password to correctly decrypt the payload and the attacker had to type it in the command line to detonate the ransomware.

Introduction

We used Hiew, capa, and IDA for static analysis and reverse engineering, x32dbg for debugging and we ran the malware in a sandbox and examined it with Process Hacker.

We structured this case study in the following way:

1. The First Reflective DLL Loader

  • Hiew and capa Analysis
  • IDA Analysis
  • x32dbg Analysis

2. The Second Reflective DLL Loader

  • Hiew and capa Analysis
  • IDA Analysis (and the –p parameter)
  • x32dbg Analysis

3. Payload

  • Hiew and capa Analysis
  • Highlights from IDA Analysis
  • Dynamic Analysis
  • OSINT

Initially, in sections 1. and 2. we describe reverse engineering of the two nested Reflective DLL Loaders and our subsequent debugging which resulted in obtaining an unpacked payload from the memory. After that, in section 3. we write about basic traits of ransomware payload.

Stage 1: clang.dll (1st Reflective DLL Loader)

Hiew and capa analysis

Firstly, we ran a tool called capa against clang.dll. capa has a collection of rules created by the cybersecurity community through which it can detect potentially malicious capabilities of an executable file and assign MITRE ATT&CK techniques to them.

Download the Unpacking of Egregor Ransomware Case Study to learn more.