gandcrab

Sharing

Copy URL

Twitter E-mail

General

Target

b49cd0398cbc0e6cdfbab13cf0e53773_JaffaCakes118
Size

2.2MB
Sample

240616-xal1eascqe
MD5

b49cd0398cbc0e6cdfbab13cf0e53773
SHA1

565694a2ceb2ebbe0a49981c11adeb5cde244e76
SHA256

6e04fdd174b6d18769751acb97564e41b131ec95e00e9d92152f52969113b547
SHA512

32015420e4cb24c1d59de76e05fb8885069a8ef69dc7ab5bf60def9de503e7b6a7c78771b83b620eeb32b07e9173d10c267a237db62c55d19536761589528349
SSDEEP

49152:Es9J0weFq3/+GSoZxNqPaNQN64vjLFn1XA2mk/U:EkRHdZOPaNQnvjLF1P8

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\QPBFKOTVD-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .QPBFKOTVD The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c0c6836d2fa03ac1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKH8QsFZkAVOdx0PLxbuhx2glaHJs4HcI72/0PznhyJhzjkGw9bPjMkeIWMe0d9g5bKODkjVtN6SLiR6suKq00N4+91MbXA2/rEQ9GofJi6vBIWAWyLjG2h2jRGbzQfY17VnvDD6LOQZei1fT394W9vmYm5nNTXtT9vH+co3jyyJo+QSIHwkUrqP5QAhekOJFopRDJf55Uz8B5JTfpKx0+36iCcks3P+oHNo5gERcWH/HvkGkppSeZlygYfPJiyAGwsXcMxMeg+7WTixiYFqMN9oZ2vsFsHUBG1i1gkBVYHk4XZS1Xfla+p1/MO3kB5Hjz+kClBkM4vNiOSLcWGqA1U0ENWiUvP5w3v9MipqKHUVKO6RRe1aJIgL5OddXj8CfiI0Arpkir6onTCfJ9WBD3/GnuRINy4oa+Rt4M3CCId6akKpO/Q9Off8imCYatub6aZ1Yn/B3/KGyH4Fn1nFgV7rvfm770cs4tNlgmntDnScOzzvGV5YrOMxjus3dtUUXAvSfTzFFEx6arz7pJzKioR4V8C5FhR4j+HV54G00xXvbFWqEg2bo0+PvUD0TWGjJE80ZZ8PplTskmxjJ7gre+q8xpOwTBqjNwmV0xuIl9YSXpE+VNpgHhqRFU6cz/jb/Iplxi9S/xen1+PfsU/bs1udx4n2cr2uXerLMnSBUZeXbHJqAAOCleSxfzBvhVUXFbSOpkOoGE7k3c7+La5MKnP6uljeqpUlYrs44Dz1gbj/x3ZFkelW7GfeDyBq7ktKUpi4LWGT+cxparec2kbhHM1UaDnv6tvp2JMoIvKFGyBnnO7hvxhM1L0kT5+oE5O/76XB/OtRW5a8aa323UMdVHZlaJ/U9NQOr4VB+WcGH9iYZUe5k01uoa2hJ3/FxDLDbBfcv/ZtSxI/oNssQkWIyUsMGGSyI2huPwubT4alpo7/MX/m+VhDCBhhR9BzwQwnHIYusyCWB315PvyAhFJwXgfuzUie5L1MyV6EE8yju65PwSSf3LPShLpf9QYxbh8GYvzRgQDTdiGsdRMJT1cGxPJKOrQUDsK+XMLraCPIF7rnArcyMYkud8EA8rc3gxMZPJRhDkDlDy+fClJZ2u778XaOWU6kJrwYQLe3aNITC3qiPUmGYUrR5UAJfaNSMcXJder7gGtXIbdjvauf400dDrobRdFVGdv7qqPxUd5WJFLrcUkuPu0RweQhI1TRBaC2X3k155wrYlXo2wZEgV4na4IPLjefrLZTDKG0rETsw4okbivHMS8vgRZokj9ly8ELLXeLxiKC8kMaiFmgr1Twb08dcvKFMArAkEAbEWhjBjmPaGGKDLKUXGNjX98+m2o1yXuuX4tFucu2QHJGtLCWsbqwmud1QWPcxyRteojFhhwHtj2sf/hGhiM+v9LkM5MoOxt2kkkx6UosgmMSU7FLPr7cnL/tQVOT9Pfp18ov29+oFGv5tbU2iGSzZh+jSi7tnnNS/29zN6upJ4Dy6hvgbsbg8ukcLKsI8rfTOz18PrPOuuAJNZMwVDzWYCUa+5xjeDGvjG/uEySQbh2/N1RXmtY52NyhDgyAL30pGjA2rn+uhrwZVD+pNMMlsJIr912/a0u6icQMBfFwpJCGv28jKVWoIl3ltXJBMpWdURvEjWcMfyru5mjvi8h5yrvVHJUItCKc+w0mSF2OBYgI069e1nQ/IMeZKdzbZX4MONMH1psBZ+O0Spg95NkjyLZaChNI/gO5FoJRxHQr6q5Cn4ahl8jKjmS07HqXnIQP2IlaYdNQzQwgzz8pAIe9FhTMVnUZ00jgcUUAnUNEqJMsYQ3sMjy0hDdgMjjcprdi5ohHiD7BASI9QKFm5QinLnLL7Cky8U04zDZccVQ/eP21jDdE4U8snUL+0KqJPnCxqo+JXldch6O+J+VENjLXaAcLtyfcnbd7A1AIr7Q77R9Dsgte3+wMwUjXMFD5SE1m+qPAPLkiqFQj4Q5LJDAFuywHE2jKVGNJR0X4/3Ur9OVoZO1P0on6LIzJc6kYV9tX6T/9fva/29i0PLndPEHeq9dfRPQuxIVqVCl3nqZmmYPSczAxEV4OqjE/saD2FF27NaRSHgm8WRlUKi8F1MIE9n/PALSgCqQ1FdfMxXyHIJQ+PqQhEA/OaknqcuDOFcevRnifFpaEBmcQyPGH/c5tLqVd3t7HIQggmTXx0JD3bP+J8e1Of7i7MBvl310Mh5NNnYbY6UMgO/sypkYW0stlSwv9m+88PL+oXo4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZeTo1RtXYc7nNWqrfBTHGHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLFykRvB5uKs/2U2F+tyGtlYOlrSBiftrhGHEYoboCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZirpCBFM3vPLOOar1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/c0c6836d2fa03ac1

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\FTCPWBHEC-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FTCPWBHEC The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1edef952f3001c0 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAH3qpAmAxORDQqimcAg1VTe8hn5PeqWs1WhYyt4n+ArrSVWjf5pBgf3eG5apIrlC7HtwzkZ+jOEP0l2+uSBaMuOkxCKFB9VB8MWPNtHNyiqziOvAu/Lycbn6WwZR2cht9fRWseAap+xqbGnczImTLKFmUSgdYQaD18njDlTnB+HLoGU1BlpIZwVm3cE2bLHykXHMYh8bdafH9vaHOaLHSZRQl2+r62IR/ZwRz5xMylB+SHujwj7q17pjrjFl6BjP6vtoQ/RcAxwpe3U1fj2Vh3GW8Dmu/3fP2eimkJF84avhYrJa0XmF8y7WDArMLrhXgJ3ckG43npTFiG8ZG4WEeE/BaXQoT7tc7aLq0HxEmHwXGdyX83l7wey+L3Rh9gAodp+KBwHdCQ0uql2VNA/mkCm7ugg10lcFOch4pznAY0JPH/waDcaV0PSAnbuLMJRQDrLnb+k8qgDhqEV7CSKOpRwtpUcs9TQhtFJkH7hA73kx25OSITkNag3e2F1Wp4AWton3p7MSikerLHbwdRLUHNpS8OE9kOMtFZxe7zg4qUcZxRK1VfzFBXbI2HOZLvDShAEqEMglWtVvySgRMUYwoa1zYISLL5rloOeiKgSu6eyIklXSQIIrqYuPeG8rPyTJTuuKZBCKL0lCKawFmmT7KtjraWK/urHBJbAM5RIdWwOQdS0hj0+HA1bsEaQkc5WEbZh67gObHWauIe/XSWe+k1WLjW/3zeLxqGH5JLy7NUYSQDRlc/LDQFGD8ZuXkulFt1VANYH+YEgjuliksiwf820t3Q9LBV/nMiywXBrAQIT22IApP7WI2SNZAEnlOl8Nw6TwClJA1gZEipr7e2vfgggR6qyFmjSSebaQGW0TxODp9jwJdAaQYjghl21MzRP/tTVy0oOkigGeaKFMdU4YJ4SCWaLKO9okQL0Re07Lc8epIHLsIIWA73bu9HXrNaJIa8McmBWAUXxfy0QswWUiza7/geG+u75t04KKtzm4pXYUCn49HFo7J654EPgvw667MPl6fnfmF/sWv9yPQtK0pv1Z9Q++hNZWEbaDYNw2QLg9lZWP94ekDFxEXid/7JUgmeu6zssaikSSdmcHhTbph846U07cNFHGXD04wYo/EeOUkdz/t5r7UPYv2D1U8omOwRhX3nexOztrIp+qB1YMHiU3m89df1pEP2s4XeNvwiIhYYnyN8RJYbBoCho5Z4ijEMt16k6uwcMZP3J8FL8kSP4H0zB2tzxGfRJyXpp5VMzTwyn/aUG7ZR6ZJXJANs7dmzvmH6+pv75iXe2hjJTn5WAHdhmBwvsOB7TLLgaXDJ5g9s5D5/slYyiehTZldENXHZ1y3oeGYVwGBZxdStDj4ceuzyrphE+8YSFw1aO/28kp1hQJPXvtanSJe4seMtt0Cxqlddu1tXERnwFoC/ztlssM+ms5dICoWKKIckgg8KqaTc9x5+WBcx6nJa9e3waJzWJbhioaWLCdmHXipSrjdK8jzVHhZWXWfXb2ZjpvWBXT8w2k2bphrOOdDXnX38o0qCI1hZUYqLZQuIZQqnCBqq9zX19weHmCmes7bN4FUX8guhmpm9Cd1tjeV8hks26ic7dKe2fGikSl4R17qEIbaF2tdQBmftYLqhkR8fNaZ53ozz7G16evPz7T5J4opKxtIc2oSJbxef906y8GWDIxc5J8GQmvZ1XgXSGJFFcAzbyArm3VhHArK1M1ysTd3my4AE8q6xEC1wbStnEzqfCrTn6c/IRHsLoGEEJR8tV7ktnriWk3lpIwQvtr4dhacroCXRtvMrqD33dnQB3wmIk4h1JeEMWxtunOvnCAJk5S7HhfrmQt6SAUC/MpND15jwpYyL8iIpZw9ioAligpcUUqmld5AtWQ37AAjiYcqDAfdcgBdCL6VSis6vr0KpAVN1faD5CLqeHt8VBKw3yPSJg0mj/Qyeb2Ted2+gOfZPLNdwvDguEanXNL/r6+a/BV6KX/Bg+0l4porOegfUGsZf7Y8MjBJPUgJTVmdDYm4zHquUiJg39IKBXMxxDvVmDM2msiXTmlifZosXSnIfiAD0MF1UPe6uGt/djeZMYk49UhCzF9Fs3oGqPWOAlIYjnWvl0UcrO8sV7tGdwJVpJ7TqEZVZtBETyvqTPWbkyzdAPhc6KJ5zYcEMD9fN+K0GSJOyrl9JF7zdrBzQFpxhC1AeQQAYkTsP5bWksmmYAJ/yFo2QWvunpIwcCXtAWef0Bb1lPfGLsVt3Y= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTpZRt3YT7m5WprfbTHiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4eLx/zI2ROtwGtJYaVqBBnHtrhHWEdkboCdB4tm4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFO3vXLM+ar1wQZMXQeRkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOdb/KRc8P54k7V/HuibORzJL9NXYCh84z7+xeRbttC/+YbnzW5+JOXs5ePtQu9FxhOlLD2rpghGmLLQQz3Qtdfjj5QGFTiWwEn7JfT+zb ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/1edef952f3001c0

Targets

- Target
  
  b49cd0398cbc0e6cdfbab13cf0e53773_JaffaCakes118
- Size
  
  2.2MB
- MD5
  
  b49cd0398cbc0e6cdfbab13cf0e53773
- SHA1
  
  565694a2ceb2ebbe0a49981c11adeb5cde244e76
- SHA256
  
  6e04fdd174b6d18769751acb97564e41b131ec95e00e9d92152f52969113b547
- SHA512
  
  32015420e4cb24c1d59de76e05fb8885069a8ef69dc7ab5bf60def9de503e7b6a7c78771b83b620eeb32b07e9173d10c267a237db62c55d19536761589528349
- SSDEEP
  
  49152:Es9J0weFq3/+GSoZxNqPaNQN64vjLFn1XA2mk/U:EkRHdZOPaNQnvjLF1P8
Score

10^/10

gandcrab backdoor defense_evasion evasion execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (291) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Deletes shadow copies

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (291) files with added filename extension

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Identifies Wine through registry keys

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2