gandcrab | dbd1d824f0b61657f865147cdb5f829377824c7df7352daebe401c203ed561d6

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
Size

331KB
MD5

b5bcffb3e77c283795a030bdb0d4cec1
SHA1

a90c2a5cccfc9f374b5fc5a1ef25775586888a89
SHA256

dbd1d824f0b61657f865147cdb5f829377824c7df7352daebe401c203ed561d6
SHA512

9441608358bb31b055814e335a9e5245271f8f18b6b8266e8cef83daa470b240b78c0ec096494839a2154dbe0ad6c85c8432a646c5a38fb035131fbb428b9a99
SSDEEP

6144:gvNvAw7l4BZrN7CmAORaAsJ64O1DVVeBzBXPxeNp9qXmb:g9Awxs3puti1DVVeBne3Amb

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1756-3-0x00000000030E0000-0x00000000030F7000-memory.dmp	family_gandcrab
behavioral2/memory/1756-2-0x0000000000400000-0x000000000146F000-memory.dmp	family_gandcrab
behavioral2/memory/1756-8-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5060 1756 WerFault.exe b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe

pid	pid_target	process	target process
5060	1756	WerFault.exe	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe

pid	process
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
1756	b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5bcffb3e77c283795a030bdb0d4cec1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookAW
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 476
2⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1756 -ip 1756
1⤵
PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-0-0x00000000015D0000-0x00000000015EB000-memory.dmp

Filesize
108KB

Download
memory/1756-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-3-0x00000000030E0000-0x00000000030F7000-memory.dmp

Filesize
92KB

Download
memory/1756-2-0x0000000000400000-0x000000000146F000-memory.dmp

Filesize
16.4MB

Download
memory/1756-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-7-0x00000000015D0000-0x00000000015EB000-memory.dmp

Filesize
108KB

Download