Thursday, April 12, 2018

GandCrab ransomware sample 

found just in recent hybrid analysis submissions
https://www.reverse.it/sample/93aac54d061ef795aa4cf2071b45a6b6164e227b40bd4e6cd8a2f290dcf58357?environmentId=100
tagged as Trojan.Ransom.GandCrab.Gen   

----------

high cpu, almost no memory strings initially, no subprocesses initially either

-----
interesting files found
-----
C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\CRAB-DECRYPT.txt

-----
interesting child process
-----
nslookup


------
interesting in memory strings
------
0x60000 (114): https://www.torproject.org/download/download-easy.html.en
0x80002 (524):  .ani .cab .cpl .cur .diagcab .diagpkg .dll .drv .hlp .ldf .icl .icns .ico .ics .lnk .key .idx .mod .mpa .msc .msp .msstyles .msu .nomedia .ocx .prf .rom .rtp .scr .shs .spl .sys .theme .themepack .exe .bat .cmd .CRAB .crab .GDCB .gdcb .gandcrab .yassine_lemmou 
0x1d0202 (104): C:\Users\xxx\AppData\Roaming\Microsoft\dbwxrl.exe
0x21f8b4 (44): /c shutdown -r -t 1 -f
0x21fb24 (15): fabian wosar <3
0x21fb58 (64): /c timeout -c 5 & del "%s" /f /q
0x21fe10 (26): \Tor Browser\
0x21fe2c (20): Ransomware
0x21ff5c (32): CRAB-DECRYPT.txt
0x21ffd4 (38): %s\CRAB-DECRYPT.txt
0x22001c (58): ipv4bot.whatismyipaddress.com
0x220484 (34): NortonAntiBot.exe
0x2204a8 (24): Mcshield.exe
0x2204c4 (24): avengine.exe
0x222002 (4288): ---= GANDCRAB V2.1 =--- 



Attention! 

All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB 

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 


The server with your key is in a closed network TOR. You can get there by the following ways: 

0. Download Tor browser - https://www.torproject.org/ 

1. Install Tor browser 

2. Open Tor Browser 

3. Open link in TOR browser: http://gandcrab2pie73et.onion/xxx

4. Follow the instructions on this page 


If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
                               
0. https://gandcrab2pie73et.onion.rip/xxx
1. https://gandcrab2pie73et.onion.plus/xxx
2. https://gandcrab2pie73et.onion.to/xxx

ATTENTION! Use regular browser only to contact us. Buy decryptor only through TOR browser link or Jabber Bot!
                        

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 


The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
1. Register new account: http://sj.ms/register.php
    0) Enter "username": xxxx                        
    1) Enter "password": xxxx
2. Add new account in Psi
3. Add and write Jabber ID: ransomware@sj.ms any message
4. Follow instruction bot 

It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf 

DANGEROUS! 

Do not try to modify files or use your own private key - this will result in the loss of your data forever! 
0x225060 (381): <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
0x2a8830 (282): \??\C:\Windows\zoteramexizosima keluxepu\??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2a8a9a (172): zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2b0848 (202): \??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
0x2c9324 (190): \??\C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
0x2ca8a8 (56): http://80.98.187.85/loaigeoa
0x2f5338 (22): dummy://url
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)