Thursday, April 12, 2018

GandCrab ransomware sample

found just in recent hybrid analysis submissions
tagged as Trojan.Ransom.GandCrab.Gen   


high cpu, almost no memory strings initially, no subprocesses initially either

interesting files found

interesting child process

interesting in memory strings
0x60000 (114):
0x80002 (524):  .ani .cab .cpl .cur .diagcab .diagpkg .dll .drv .hlp .ldf .icl .icns .ico .ics .lnk .key .idx .mod .mpa .msc .msp .msstyles .msu .nomedia .ocx .prf .rom .rtp .scr .shs .spl .sys .theme .themepack .exe .bat .cmd .CRAB .crab .GDCB .gdcb .gandcrab .yassine_lemmou 
0x1d0202 (104): C:\Users\xxx\AppData\Roaming\Microsoft\dbwxrl.exe
0x21f8b4 (44): /c shutdown -r -t 1 -f
0x21fb24 (15): fabian wosar <3
0x21fb58 (64): /c timeout -c 5 & del "%s" /f /q
0x21fe10 (26): \Tor Browser\
0x21fe2c (20): Ransomware
0x21ff5c (32): CRAB-DECRYPT.txt
0x21ffd4 (38): %s\CRAB-DECRYPT.txt
0x22001c (58):
0x220484 (34): NortonAntiBot.exe
0x2204a8 (24): Mcshield.exe
0x2204c4 (24): avengine.exe
0x222002 (4288): ---= GANDCRAB V2.1 =--- 


All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB 

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 

The server with your key is in a closed network TOR. You can get there by the following ways: 

0. Download Tor browser - 

1. Install Tor browser 

2. Open Tor Browser 

3. Open link in TOR browser: http://gandcrab2pie73et.onion/xxx

4. Follow the instructions on this page 

If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:

ATTENTION! Use regular browser only to contact us. Buy decryptor only through TOR browser link or Jabber Bot!

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 

The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client:
1. Register new account:
    0) Enter "username": xxxx                        
    1) Enter "password": xxxx
2. Add new account in Psi
3. Add and write Jabber ID: any message
4. Follow instruction bot 

It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here 


Do not try to modify files or use your own private key - this will result in the loss of your data forever! 
0x225060 (381): <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
0x2a8830 (282): \??\C:\Windows\zoteramexizosima keluxepu\??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2a8a9a (172): zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2b0848 (202): \??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2c9324 (190): \??\C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
0x2ca8a8 (56):
0x2f5338 (22): dummy://url

No comments:

Post a Comment