https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw

General
Target

https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw

Sample

211229-py8v3sdddn

Score
10 /10
Malware Config

Extracted

Path C:\NMOCWROPZB-MANUAL.txt
Family gandcrab
Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .NMOCWROPZB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/6e509012a873ad6d | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJINzjVO6G50R5Z6qAVdXWh3/KfkOo7Zn5xmnP53VPwi6ON04VVEeCfJRjUX61fQ5Jcs2kZ87sQJe/keevu3m3RbhzWVPej0heGHOYgFSql/pfJX10BOGtqEsPPE731JciISddFs1F8fYkrSMRNLuqsHwRZPUL24XeDrUOLJiPEq2xU8+aIuz3FAlC+59hi3DWEpDtrqJXeOFkiwtJ14VRsa5+2bNRMQL70QDJlufLsINFd+Z+Rr9+UO1LRK/8c7arcHMwzbHiN+44KJnUHDkrVtDSTDsD/eiraRemYxHdTt0PoQzV3kkuieRBCMXd3Gp8rt9/i0dtZKnjPEiFR6ioaXbqVjhuLY8KLh1eA8WQ7XsQJIx9h3ZaeXSr+PtmOJ5S3M0hxzZvMtgyL0h45iT5OJRaGDo6F1QMjKynUdkMu0ff0B5PH7XtmRl3ZIHw2R6V2ah5f1aWpD+F+KbiW8UvINUmyJ3JgUdx8eBUgzHqutSgIVU1679tkSIyk4i3HT0zqKmvxA+C+wIAdNG8zUsA18bzOcevBrxfrP7skB4pSNcF9OLeYk4k5+UFdI+hetZE/GE2D3WSoqjXzfbyqLi3qz2ahqOU5Sve3SN6nGy5rxN6+jeuo8eID/2Am+5/aERw1L7hEgMK0lGuV6njw8lkBP8RRzaMlmZFHiiMTByv8uNpcQ69t3D1Ukp+T2SBuFMZi3Xe6wRPzVWfYQrNf2+tI/7odrnkDYpLcJKGUsVvtnVua7lIfL5+SoSDqf9HK91NJDPr6yLeaD47v/FoJdvyixDRYFbXFQE2zTiAroPoKOA4whMaQcGS8aMIjqLXJ7h/wqIIqS02eRC8dHnno461+e1Jb2f1/1kSmIODOUeZyAkY2Kh0qAdIHzwAns5swdIgfxs6cVKns4U5lfvfz5DtIMnyPQR0fvFxnnjz9ZWcUmqqE4C02UWuj2gn9Hh0s4icOqGQ/v/vtFZ/uqk7Jcr+hK+0FJ/WPW9gh2UEDys1HalnT+A0DV3xa8oI9XGbNYjz2AXDqKPxlRvtpKX1f7tbWe0xC3RZfq7I2G1pQMvyc3XS09G/Af9HkGfFw3XjU/znI9/ffzZ2hRkAIyPzUEccXuNVhMpgzuHKlBeM7eFF3iXe3mf1k6E2cH7IyQjDeK6IMZsqFmigU15JFqSWcNvuX7Baon/HzD9ZY/QhEIOuS8FrX3BVJwk1RfQYpsfg1Rcy47kT5IaIc2995XomjCkDfjXyO/s//XwlRFCeiPWFNJ+58EVN4lZ7LdmMz+gJz++RtqMoPcbteMcnS0V8R37qHTV9l/dEl1+Ouzlny3HlweTWVTexqog0w3YPVU9SN+BprgXdsiEQ8C/ttJGqcOv8wySmJKZCxcbcmVMfVBSsXoC7hQeamIVtLtPd32RXG5DX1Yj6YMxG5Mj2UrFvz2GuPhmBpbVJyxLidWrVl7IkcrxqZ6+dxC4pq4Cl2xRzWN4xLSKgEgAxLe7r5wjgEvmYSeI4cfU9nQcS2u5evPOA7wgNTlBcQQ8WcL5dTNBx+7Bx1xLegSyFefX+hoTd+N/uiRVHyjesnLx1zDkXeOqn0tp+aYtDdRCxWSXfW7995rhAD5yPyvuV6p8zvx6OKGDkRUjAWTJk0cnU7wY9cXOgVBvBm4uZYffB5hiETTuYQfGK1AHh3emWEL8nr9UCDS9oi9SVPgBEXFROgkHExd+NzqjwLlwQxgEg0SbIxMNWDmSoXIdgvduc3OwZn+DskN1uYDPbSJuNI2xFIzgF0cf9TzSV9/tj9sMK0TB+mdg/qbDLZ633o2NltdxPGQtpJYmYmuLndCXitUj80tD1bEMeC55AnAaK90SI0IyjFEU6GQpMpY1oQgAAQ5+aruuCFSztSTYlNcNGaIaB5P38WFMsL6fgHW/3Skenca6hufIPvFRudUNO9OKRS6nvkdiHEnyvw3Rm0fvSu5fzE6Oxx58I8t2CRHzrl/UfsO0G8T0Rg7ORJTjrW0wmFokfeuGomOuroFl5QeOZ1gIwBFztiUkzkHI3ELDryyCn8joubYnAQr3Y4nVKFvXZn3RE3ToG4lKKjlOI7a/dr838mXIAWZdIEUjyCPqD23IwhkrY6sfcIk4TvBqEUUfZPe+2FcFjeC+NcMDMWRKGgYDCOpVv2HxfhzU3CCk4VJpwfXBGZKbTfpaBKw5kqo0fOEGSWJPST+fMFnrqL4Ye7aM8A6OUo+uU4rIaMCQJdiqe1VtZTrZ5G6tjpqgT4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NTJN5DRAuyVsODZRWLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRWUVdPec00lSDyDFtLuJf9BcBixqqcY9R7G3ZbHKmYCRmkfYP43yqPNoLMfjU6OUr3FW3eYJTzTJsPa3LzF0vPeKSzSzgqAooTDFrJ2MPDmx5ShdudroMVoJ6iqVzOmrqBpvYrwLrtwypC8B1eylBjnF7qJ4Bew6gT+wIUybb9cf69w/LTGj/LjfwF3i+DPbKPSgkY3ZWPH+rAlXvHei0oEFEvREsCMnANjh09REIB31FEHCybeMMJ0F1lg/qeRPezME ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/6e509012a873ad6d

Extracted

Credentials

Protocol: ftp

Host: 109.248.203.81

Port: 21

Username: alex

Password: easypassword

Extracted

Family lokibot
C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw

Score
10/10

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Fantom

    Description

    Ransomware which hides encryption process behind fake Windows Update screen.

    Tags

  • Gandcrab

    Description

    Gandcrab is a Trojan horse that encrypts files on a computer.

    Tags

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and DirectoriesModify Registry
  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    Tags

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Detected Stratum cryptominer command

    Description

    Looks to be attempting to contact Stratum mining pool.

    Tags

  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation
  • Blocklisted process makes network request

  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Disables RegEdit via registry modification

    Tags

  • Disables Task Manager via registry modification

    Tags

  • Disables use of System Restore points

    Tags

    TTPs

    Inhibit System Recovery
  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets file execution options in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Modifies WinLogon

    Tags

    TTPs

    Winlogon Helper DLLModify Registry
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media
  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks