gandcrab | 3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
Size

208KB
MD5

b28e0a994aec0fed8a429852f5f96b69
SHA1

ae83fb72418e9ab22722b9ece02f93860b4ffc6c
SHA256

3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0
SHA512

a9031899f7cea9153e9fa3442bfbfd001cd157347828ebcc0dace421f4571464bffac582522b3aecc0297925ec01d6ee4f208cf679ae5987a584ac583db9ac2f
SSDEEP

3072:DtUPpLY+c7SbgeD6gvxz+EWVAJ0mFoO6SS13P8M4yk1pE1c2i0iB:EW+c2kUPvFoOW30FpEjPiB

Score

10^/10

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5d81df479fa4965 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAA1ZqXjNIfcoZ1sAq5Ju6NspkOh2+agbBE5LPdljLgJ+rcp9lnVVpWWUycl/625M03oXWoSJw5jcQxF5Nf6iUK7eAokIcwKyFGSud5OEEMee34DV6E9d0/Tg/4DOEl8EucpMVWKoy+WF3nlfqEHnxmwZm/NKGpm0F3FBLQQ28xOeXfdPcl8BdZ3XaYvK/jOUHT8I+hfb8IiSWES1ope6g5jY63J0rO+Ey9C+Epz60xkMCEn/88qcxAZt5H8MIBwwhFMmSpj/hnc3kD59bn6ZT3pM4tFqZTCvC/xrls0UfMMq0FQt+XzfNGA0ok72FvnsxEogGTcLAqpYQrTFpIq0ZkWFMNAebN3C9oxb6v7OpVpXzznKTdjUvbyLQJTkeLzEiA/wUaDe6GiT0DiI3FO692qa0TkP+7mNhKjoR2DA9fBJ+oIBhPTIZ3eyIkK7wAyuP1jb+kcygk8rQS9ycE+YvAA/GikMVOR/sQfBerSfrVs6auFDprYNKIN8SrbaPZsBB/B8ksRq6cFHep6AW2Pc5dbCSbJvvJqz+GBoxVZQMJdgni1/hrLcpOmeRqrsAGjF7ELPr/RT79sDf+IsdMv/nRVLS/NFBrC35UD8WtYGJR9BDyu9D+QL7KHeUNWtL/+s59hTTLWFSm+BfIP7JfYhOphCocBKdAXTzQYAEa6VGngNUa6WN2c9NQk/O+AFSOxDPsJJlQjHT9aABxXQ/gTfTACkN9fx+AWrIDJ4jDlLGGtImNfwjGQc1SIWXzR2rDqkApXb7ug0EP7lnky7qhWE6RNbEcrgLqJSviwcKVOUw/3nCC/MFxGWhR+AOxaRTsgkSTbq8JYbb9TyCo9r70a1cmxyEmAL/pR2ro3+L1vPyVjcSCUNmqRxnYlaSGrdB81cVf1iaiTxlB+OV+KPxNP+W9RLAf+u5++P/pnv1y0ix6Wr0sJZ1YeYDg5SYmY2aDhfOcp1SYIOsA0/W45CWt9hRj+Co+1RQHp6iYF8B1k0CiH24Qob90w5Lyi5GEygkckVA2AXBHBkAo93xG+VoYYNahlWuYelPuDYKlx35wK2WbBk4B5ipPLsCJPue1TvLemQJNqLeBpMY9JEu0IP4pLG3t3VcbX45NmoaqBj3+uMA3GkElBBkfZzmizBNkKYlO0vL4XMgweo+Mg0F2GpOUTGyH/4zRRDOhDUFnq8z8qboboAMBQLMeRrCNNEpuGrNCCtYxqbJ5qghwdL4ytktFkNDyjFLEf7G1xCJEDrys+letWAF3rB3564bGEPAkyC7IUXrKtVm0kOX6y3JdiJxw8T4sVtpg3FcMwBdZkGCRRELhgUe6bPpaKiq7Xiax8DIAglq/YF9n+1QDlATFCAjA299UGfPip5HO9Dw5hByNNq2zKHvXrCITeTKTMUFEzCnVwANk7nkA7GbP0rG+2er6PRqCn0/ZaIGz+70FDzjMUqypDaOZxyf1GoQjDKUgfaClCf7X5PJF+uerRxIAAbT3k2Kv6Ezjs9VapaAe9elHlNktHYUYaEX/GsK3oKCSSLT8WC7R8cAJIaUS+p968opQi1RQzZGzNw0O1KLm5ahsT2KAQVdRIz5Rnm4qAE3KK24vOSQjy8Q5S+2oM41ciNUJQ+tTL4c+P7cCb7tNvC0IMVZgVFck8rfArD9cCtCVzJNf+PH64WZBEKGruj2no1MWBw+VnkC2B3s4Usq3cMCmqC15tCEQeRKh8yGDLnjiAgszcg1JCxjBeQm2krRITQ2VIDLv8jExAQacdGdBSeeZ2v57WIzU/5xbsqUUdUq8e9nM2xbzTlgT5Dy0RKxNOesiP5OI6SsqPCAn9ILQZDVKtFmaobsfKBNiHbCfpQLVMoWY2GDBG+O4JVrM1c3u4s0zEv424CaBdgRdQAZwFLAAyvCLHs+6A9prOxwHsStk63lajnH5BsQrKD84Fod622QlPKiunpcPgoWXmWWQFMq26angfPPU2Dv0FjE24IqmnxNU3CR+WOsZo/kGMRx43xJn87QRzyrurO+OgA3F2JRmd8PZ/sSqae+jYQWfZPEmYk+6eoGIRPTTng+x/KjNWpgySiTT+qyYUM3bF6ndbDnwPJF+6jFQJBzUs+WQhpdPsP8FYFTL7RUNeFMyBNhiIFu/FKLvEAmomi3Ft7pm4IW6aa9jVhO6cxTnuge0ctqYNbjtdSzz0nyrLywExow9o/KFVCkvqXH7Prw2GU2OgRmvJ8Cssrief3SMY4qX6tRy1/CMaBvSjcapA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZHTpxRqHYX7nVWvbfeTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB5eLw/242EOtyGo1YaFqEBi7t+xGHEd0bqCcU4ty4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNuav1wUZM3QWRkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/5d81df479fa4965

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9fa4e889fa4965718.lock	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\X:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\M:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\O:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\T:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\L:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\S:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\B:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\J:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\K:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\R:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\U:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\W:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\H:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\P:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\I:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\N:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\V:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\A:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\E:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened (read-only)	\??\G:	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Drops file in Program Files directory 16 IoCs

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\9fa4e889fa4965718.lock	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\ClearOptimize.ttc	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\InstallShow.wmf	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\PublishRestart.wm	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\StepConvertTo.i64	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File created	C:\Program Files\9fa4e889fa4965718.lock	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\DenyConfirm.vdx	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\GetInitialize.xla	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\ResumeConnect.TS	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\RevokeConvert.nfo	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\CompressCopy.vst	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\ReadBackup.ods	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\RestartEnter.mp3	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
File opened for modification	C:\Program Files\ResumeSwitch.docx	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

pid	process
4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	608	wmic.exe
Token: SeSecurityPrivilege	608	wmic.exe
Token: SeTakeOwnershipPrivilege	608	wmic.exe
Token: SeLoadDriverPrivilege	608	wmic.exe
Token: SeSystemProfilePrivilege	608	wmic.exe
Token: SeSystemtimePrivilege	608	wmic.exe
Token: SeProfSingleProcessPrivilege	608	wmic.exe
Token: SeIncBasePriorityPrivilege	608	wmic.exe
Token: SeCreatePagefilePrivilege	608	wmic.exe
Token: SeBackupPrivilege	608	wmic.exe
Token: SeRestorePrivilege	608	wmic.exe
Token: SeShutdownPrivilege	608	wmic.exe
Token: SeDebugPrivilege	608	wmic.exe
Token: SeSystemEnvironmentPrivilege	608	wmic.exe
Token: SeRemoteShutdownPrivilege	608	wmic.exe
Token: SeUndockPrivilege	608	wmic.exe
Token: SeManageVolumePrivilege	608	wmic.exe
Token: 33	608	wmic.exe
Token: 34	608	wmic.exe
Token: 35	608	wmic.exe
Token: 36	608	wmic.exe
Token: SeIncreaseQuotaPrivilege	608	wmic.exe
Token: SeSecurityPrivilege	608	wmic.exe
Token: SeTakeOwnershipPrivilege	608	wmic.exe
Token: SeLoadDriverPrivilege	608	wmic.exe
Token: SeSystemProfilePrivilege	608	wmic.exe
Token: SeSystemtimePrivilege	608	wmic.exe
Token: SeProfSingleProcessPrivilege	608	wmic.exe
Token: SeIncBasePriorityPrivilege	608	wmic.exe
Token: SeCreatePagefilePrivilege	608	wmic.exe
Token: SeBackupPrivilege	608	wmic.exe
Token: SeRestorePrivilege	608	wmic.exe
Token: SeShutdownPrivilege	608	wmic.exe
Token: SeDebugPrivilege	608	wmic.exe
Token: SeSystemEnvironmentPrivilege	608	wmic.exe
Token: SeRemoteShutdownPrivilege	608	wmic.exe
Token: SeUndockPrivilege	608	wmic.exe
Token: SeManageVolumePrivilege	608	wmic.exe
Token: 33	608	wmic.exe
Token: 34	608	wmic.exe
Token: 35	608	wmic.exe
Token: 36	608	wmic.exe
Token: SeBackupPrivilege	4848	vssvc.exe
Token: SeRestorePrivilege	4848	vssvc.exe
Token: SeAuditPrivilege	4848	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe

description	pid	process	target process
PID 4620 wrote to memory of 608	4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe	wmic.exe
PID 4620 wrote to memory of 608	4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe	wmic.exe
PID 4620 wrote to memory of 608	4620	b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\KRAB-DECRYPT.txt
Filesize
8KB

MD5
7994d7fa9fb7e3612d9f2d8e3e85cb37

SHA1
84d95777e4a921ff582bbb9bb7db850546212e50

SHA256
38529596980b0ce3d1237984cfe1bafff9b104d138bb2d169232c62e6250c8fe

SHA512
c8a051eca4f6c967c1471466332b02a8afaf99422b97a632118220f8107df92acf6d8162efea5ee22e0345c2aedbad3ab0a6a0516ef1a28d69a46bb6c12d66f4

Download Submit
memory/4620-1-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/4620-2-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4620-690-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4620-691-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4620-692-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/4620-693-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download