A colleague and I reverse-engineered the Clop ransomware binary (with SHA256 hash value2f29950640d024779134334cad79e2013871afa08c7be94356694db12ee437e2
), and observed that it contained two obfuscated resources:
- SIXSIX
- SIXSIX1
One of them is just the README file that the malware drops all over the disk, so nothing too exciting, but the other is a batch script that deletes the volume shadow copies. Granted, you could just debug it and get it to drop these files, but as a personal challenge I decided to write a deobfuscator based on my analysis of the decompiled code (I looked at it in both Ghidra and IDA Pro, the latter of which was much more helpful in this case). After spending a bit of time labeling each variable/function, this is the relevant decompiled section of code: