LIFARS Case Study
Executive Summary
In this case study, we describe malware analysis and unpacking of a newly emerged ransomware Egregor. It is an extremely targeted ransomware that tries to extort big companies. The sample that we analyzed was obtained by our colleagues during an incident response at our client’s organization.
During the analysis, we reverse engineered and debugged the sample. Thus, we managed to overcome two loaders and fully unpack the payload. The initial sample consisted of one DLL (named clang.dll) which executed itself in three stages. The DLL loaded a second DLL, which loaded a third DLL containing the actual payload.
One of our key findings is that the execution of the initial malicious DLL had to be invoked with a specific parameter, otherwise the payload was not unpacked. To clarify, this secret parameter started with –p and it served as a password to correctly decrypt the payload and the attacker had to type it in the command line to detonate the ransomware.