Malware Analysis Report: Clop Ransomware — 1

Executive Summary

SHA256 hash

3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207

MD5 hash

8752a7a052ba75239b86b0da1d483dd7

What is CLOP Ransomware?

⮚ A CLOP is a cryptomix Ransomware which is file encrypting malware that intentionally encrypt the file with “.clop” extension.

⮚ CLOP Ransomware can infect a System by various ways like spam email attachments, crack software’s or Unprotected protocols connection.

⮚ A CLOP Ransomware uses the AES and rc4 Algorithm to Encrypt the files.

Technical Analysis:

⮚ I Put the sample in Pestudio its shows 61 Threat Intel are shows its malicious file and it shows first bytes text is MZ it means it’s an Executable file.

⮚ In VirusTotal Section it shows an CLOP Ransomware.

⮚ In moving further in libraries section there are two libraries crypt32.dll and MPR.dll which is flag red is used by this malware for malicious Activities.

(Notes: An Crypt32.dll is the crypt32.dll file is an essential component of the Windows operating system. It is responsible for handling cryptographic operations, such as certificate validation, encryption, and decryption.)

(Notes: An MPR.dll is the Mpr.dll file is an essential component of the Windows operating system. It plays a crucial role in managing network connections and providing support for various network protocols.)

⮚ In the String Section I found that it has several capabilities like create the process, terminate the process, Registry changes etc.

⮚ Specially it is used the CryptEncrypt Function for Encryption.

⮚For further I used the CAPA tool which have the capabilities to automatically Identify Malware capabilities. Which results are below.

⮚ There are several Capabilities I found using this amazing tool like Encode the data using XOR, delete the files, terminate the process.

⮚ It’s time to Run the Malware and check its behaviors.

⮚ After the Running its started creating list of Python files and also encrypt the file with .clop extensions.

⮚ It's tried to communicate other host which is connected to the network in this case I was create ubuntu VM in same network.

⮚ Note of CLOP Ransomware.

⮚ In virus total 62 vendors say this is Highly malicious Clop ransomware Family.

⮚ There are some MITRE Framework Techniques which is used by this Ransomware.

⮚ Files dropped out by this Ransomware.

Indicators of Compromise:

SHA-256: 3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207

Path: 3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207.exe

SHA-256: aac8acc8bec65b11c33ecca576b54896d5da3bdaa72615efac957195b00ec8d9

Path: C:\LMefEYBV\CAPE\2124_426195016431820272021

SHA-256: aef6327c2789656de5029059cdb04651a20afcf8e78d303f3226ed92afe7cec4

Path: C:\LMefEYBV\CAPE\2216_391242516431820272021

SHA-256: 84a80052894e226d7bd3c4431fa6eb71343fde549b5c520a0cf4cc30ed92ad49

Path: C:\LMefEYBV\CAPE\592_356290016431820272021