gandcrab | 0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Size

236KB
MD5

bbb97ca6460707a4f0fecd302a33c9ec
SHA1

3d48df2009d98d75dc88874cf95a49a5e58e4953
SHA256

0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5
SHA512

d7c1945c051a148bb3b7e9d949e50fdb2bbd206d020ecb77cad37d3a55e438915c9f834563f567c78695672e2122a1a8100803360ff5453c4e9ef70b4d635d7d
SSDEEP

6144:+jP2Wcu1IHJa8ZSc0MBu7m4hEb5ZR/BhDTuEi:+jPqu1+rv1BuFeb5fBtuEi

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Signatures

GandCrab payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-260-0x0000000000CF0000-0x0000000000D07000-memory.dmp	family_gandcrab
behavioral2/memory/5044-259-0x0000000000400000-0x0000000000B4A000-memory.dmp	family_gandcrab
behavioral2/memory/5044-264-0x0000000000400000-0x000000000042C000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Drops file in Windows directory 1 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1424 5044 WerFault.exe bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

pid	pid_target	process	target process
1424	5044	WerFault.exe	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

description	pid	process
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5044	bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbb97ca6460707a4f0fecd302a33c9ec_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 468
2⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5044 -ip 5044
1⤵
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
10KB

MD5
5c3b10dd8758c6e08ba505a465c27650

SHA1
ba3c83251c6c4294a6c590e8ffa44f24f12140e9

SHA256
dbb60422fa9771b2037d04b29e4a5ddb6d606a4ac2ca53cd659d58bac247ff5b

SHA512
b73186d44b8247da47e7444299a496d340ca5f1f48581c41a69df50d5e615382ed2c399ad3585c031ed8781496a175879aef8606925058f3f88e7d173182b415

Download Submit
memory/5044-257-0x0000000000D30000-0x0000000000E30000-memory.dmp

Filesize
1024KB

Download
memory/5044-258-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5044-260-0x0000000000CF0000-0x0000000000D07000-memory.dmp

Filesize
92KB

Download
memory/5044-259-0x0000000000400000-0x0000000000B4A000-memory.dmp

Filesize
7.3MB

Download
memory/5044-264-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download