Resubmissions

24-01-2022 18:12

220124-ws75xsgcf6 1

14-01-2022 15:34

220114-szqyfahceq 10

08-01-2022 19:45

220108-ygvfssdbh9 10

08-01-2022 19:45

220108-ygvfssdbh8 10

08-01-2022 19:34

220108-x95xkadbh3 8

07-01-2022 14:28

220107-rsy5sscda4 10

06-01-2022 19:07

220106-xszdfsbee2 10

General

Malware Config

Extracted

Path

C:\HJPEH-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJPEH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c51f259fdf60d9 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEKqxvD3Gx1Guix9gVoiOpOB1gjVPn1ARzd3Alfd+/jrY6QNPtf3naxp4HHiiMPF1oIueiHdXBcydeAhr7xnKw7LX1vIS/wFXJ3gy18wu+vO1mfzyF0Bq7wShmGclnWLbDJcR7oocEKVx5unSzXccG7fwh5xI9jNHWqdeSLisamlcOGEGqVYyqgFRhRJ4QQtkgeHLOuM49XvEeukxvWch/tBsv2KBUMVK1DOKwhw/7qZTAgLWSo5Cp8rn+hZfmVUeM9nyO+chkhS9xUQ+yYD/Z/vd30grAeu3XfeHuX8pwFwAYcvSHZVS7eNVTe5sKOtVAES0HInJb9JFs7/HlXHN7Pxoc9il5334QddU8c2qcogcVD6NYSJh50d/orBXNsro6TCHoOZFlcVm8zWGjLPkMnic3qNx/6eG383M09S75A6D9guaRaEW2173pzvvqcH7YMkXb6DoFaOUbhDq2hHZVdKADgNBHJ+1/2gvSWJUGfcvKrFV1WMv5KbUv/dIYjHrJLODITqtIC4Z3O4mb4jcD3NK9HqLJzO3E14OWtQxetrZ80Fs+qhAs0z1LWRx8c+4shp2ksyeiA7qXfk5Mc2p5eTEDC87LBRA0ka4tescPThacMZvv3X1L+no3Zu2iZem7epHJTZQYVMwX2gPOe/TMtknzdxcUbLqH07Imw7TU6bIlwMXvhQRgZXq0IIljp6l9d7akv+aapnLaP03Ab599PnKdMMfN0v/tkrlYoQMUTvCbyAR36kCiwLoMDSSU06OOb8kus9I6dmN5oVLIf1kNKK1pC2aaZhSdlkAaNjnLyGQq1rEsiWb/ef7aO6PNQWIfmByvHMp95IDMxql247+4pxiT5HAOcJfJCNr5z7ZM4IXa77OWN0dEi9CkfiI760X2Y7vhVQ1wBUc05NiiS2emHFE/GBndADf+ibl4TEvdir1XBDFaEA+0PJOZufhlfTfpEBeDhHiXYfPodSzqa6xLsq4w1WK1b+a4Mw/Jknnng62yKCZAB9gKiDEteYNT1qgFutN5ZzRiCZzr3NmZ6mheLngH0dnlzo0jfZC5ZYTOvuLEJPfPAQEEsw0kwAD0av/dc5GARPz71x9rDTHCOFzaMRAufLI+8EP0nS4caIyDhWOeLh3Z8bAyuj6/Lsy98yj2vdO1ZgSKgKtJH4kFIVwJn4X78C8WFwgBv45vOftY2wjB3vPAQ+PpM43cBtUv97wgwLPSvn0gHruTVJ/LdoqRci6jSgSrOqWrLnufYwkT6Xj6+T+zrn2yJk/tBQaY3PJAUCvxqbE8n50wuiFbIZpz3Epado07dBUXHYB6isyH75Rb6/19BkUxkkjmuOJj8VEmcmhD0qKoyhvAxiQwR0939s6qrrRTQdxcamxljrThfq+KDSwRHXkxfU+jXqmwCmW0xH6MLQLt21/otidde8IItPKqO6KlFz1hqH6v8BYUM41EDVnVbuukEMxR4meYq2cclnlf0yUfnu7TXjMxcAlFvfW0w2s3i1NsW8SVTgfDOijL27HqPW5GmvodJyHKgcMaGPsTJKn7xpxbHCfMeAstLr+F3nqREk3d6N3cZmk2G26u2SP35oQQpKdHReeK+OrNd4D4KnvGRnzu/SmcF6MugSxAARdwiOvCrCbcoSF5guQmUbOXtaOKqfs2b0U9oMf1bxJfh+lyZGHADYxJzoDhS0G3xW1fG1Jtfvi9RP98TqrceB845AT4oWF98GiyAm0AYjBypxYFwtEb0j6ilDetRf+B0WbFb7ewL0Coua2h2Z6nC8CMZZnzMEQfUJF+QguvU06gDmf262R9ktGuiDwurlsHmB4/rs2/bkUf8F3/NmKAHC/28b2RhRBz7PSoavOS03b3YCHnE8ZBpFoE2gW7BBxWt1+ji0EbVCp6HGBuExlzo5rvSaSdri5ysdptqMTLPv6e+Ojn0LdaQ1fRmP9O4jcT2r46lajWVi1inRDJQWVQUeww2zbE+ltlwq8+DXaVmsuwSsnpwUei6Pd22XoZZfWRAwbvggWihv/3CXjn81SPl4nFtQ5u4PjwICSR301Za8gSLs08MjUd9BCmJ9oIM8r8EPokWDs6+He0DoiRcF/HqDP9pI5fPRMCV6zduH5GbsYO0zVYYzAPrXNkp2KmbGdCM9LENo2eX584lCMX0i9q8zTv0+5pbd4o08rioylwv82DWL8FALyI0SDYyFo2fAmuHwhDxd6p6NN3cYg1cZvZ363g2XzVlDg3jkdVO7i7+Swrw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NTJN5DRAuyVsODZRWLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRTAVJPeY0x9SBCDAtLOJK9BZBnJqqMY+R7S3OLHamYyR2EfUP9Tyj/NvLMLjIKOKr31WweYTT0LJ2PaxLzN0vveOSzCzgKAooTvFp52CPC+x4ShHudvoPFoD6iWVwumrqBpvYbwCrtMytS9e1a6lUjmS7q14AOwugXqwckyKb/0f4NwELWWjqbjawFji+DPJKLqg0o3dWOf+twlLvHCigIFeEudEtyMvAIvhltRRIBf1D0HFyeWMPZ1Z1lc/pOQ= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/c51f259fdf60d9

Targets

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • InfinityLock Ransomware

      Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks