General

  • Target

    72311ef28d4b489360c8db938dc45650f95733a8ed316f53a759b3928e8e73e9

  • Size

    139KB

  • Sample

    220128-y25r9sdad2

  • MD5

    4fcd0d13ea669a83a749ae5bfb098ca2

  • SHA1

    2da8e7cc5460aef7e6b97ccf13cd134bf1903d96

  • SHA256

    72311ef28d4b489360c8db938dc45650f95733a8ed316f53a759b3928e8e73e9

  • SHA512

    5ea08ee19b0d8a1fc79f5462e7725f2a9fde79354f89929f6dbb4c7fafeaa2151f96d7cf7e4520ef0d3c09ef941fed334a272c2ae8ab028f11c29d5006975b87

Malware Config

Extracted

Path

C:\XIFSPFP-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XIFSPFP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2521b77266cb0171 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAL8uip2JmLrokG1FqqpbtT86MQ96s/0M7e1U36uVuhxdVYyBuUm+rj/O1ZKrnrqiRQEzvu76VoPl3uZ+gSgCrM+1UH9ehDfbkKVbQTSQF+LO5cBrrDdIsyiYg0wP/ePFB02scrj/0I/ChqAwZG4D53fUsNVijaopXNZHpXS4kqWs7If9IkaZcwxQu9ayNEoFvUBwFoa+MzC0bVWhYqZDDbReHlRsl/tYX1/ObOGs9+z9h6dYXOmVUKZ8FeaYUUWGvhXXZsElzYoetq2qpkhm9uAdOLtnfsjCE7nZrKS6JC4FfCV76O5j8k3f+lPRBuX9aUUohoVe1IZBMelESSjhe46w2pYqz7RuRV4Dp40DX57Twhxl3JqwNZiIfNhUDRYmyetehzXI5KKd0abg7xGgomBJjDrfYJ0PAnDhPPmDdcHPV01CW4OTC+2GzlNJ6oxTUQOjwxcGWZ9Xh9n+5B5XPB/pTx1JF11YnUsjPqv+oIeacld8C7uXDA09LKJz7FMR+eerRvh2mOYpvGMrUbSxfCr2qsqNubekIHlr4HIKGZN92fMctaMKvhSeHiKq+j/WSNgXVGBmn18+PESHCyX1fKbWkLQ3DPesc/NFvSghxkRTACYdkmjGV/6KcGhJOPtUzDmoWe7ymdrZmCIwIUjz+z7RM0qQ0mdC1gUbkBCJvxiFI1DaQ4cYdPuvG+pnbtR/aEzTSi3FTyyWoOSb7goBUycrMduK/9t3Kl/N7ZDWMnfbALukVUYm5nwriLl4B+dN3OIS0XBnoGVwN2cnsntsoa1KwFYJ2hnBrZImHnH7vHulquBytexNVR/Yt8yEl4X8zFv8YGY/cO/1EP60ul3YqBXIag9NW14dBWnWxfZglaWh6p6mGkCr7mdMhasXSAPApVpS+R/BjswmN9cX9uWAqVUDIUwBpHvQkXohXPSiJb66e1WouJ5sc2EmPZiGxttuTkmQsSLCCLtXZEeKUMviymmNrJ5EhDelau9+7+OnIHMFQMAjgO/zNNq0WJ7uM/fR+DSBrigQMFC/qDRESP7S+v2peLfZGDfLQdERgZBZ8Hkth6Dy75zM2xtCAG6MxV8sM6hz6S8bdxWbFa1GwFZCqfVLZSWI94+Xff6P+BY/NchjtdflRTLw7lI6FMgyFMyh1hi6kQlD1z8/tnk9r4z/jps1WzaetXlohTEiYeuOyTry4UL6nSJxDxgk5To+U+zZs838dD+X920IT7PrOUxjXTIFEjgT4gWoX07js9w6fN1AxJAxUg8EXd1TOXoBzAXPdcrofgOzCB4YPKU52RcOefybro9i70bIOnQ794cQg01T0cnD1fRTL7aDKIC1jfREiO/BYFHZxeAtY/GvauOdg6UM3+4q+N9uTHBOLw7bUJRBdbiQULOvg8u8+OJWLhr3orGEnOOk1kgvHldknN/HSJEiV6DqS98RK+VscziRcqQl92cNJiX5X4sHcXJCTAx+bR/Z7072Dpvde5cYY4BtpN2Z4wUchUzRb/0hUgkRnfRD823cY0MoSy9uysvwwzDlG2mljF6kqdayrS791CZP5icB0ovyc+NkTS/08M8qOeLYdtmTWcjQ+OccZzaZ5kCayoizwbh2O1nqOYJLjkAYX2tGgnLL/Pe5m4uZX06y+I/M/z3igb1E5mwHjPJ2timQ1Brqh12gWQpxi89D0HBRAMIZo6yC9N2E4mfryOjj+Wsn4QKtQQ7nRZg88FKRpN4wr6U5j0mZ03NEtEsm/MI2ljMZW+LDuURzsyLCY9/4+1iHCOkubDgo+TtdjpxPtI52yrIaxmGq7Kpat0Wvc+eDNYUuuwaPAs+5CAoGNBzdBojiJh4/kJSYO8wyTcuQNV5LNjGLkEJOHSI88PL48cCKyxv9ubq/FnpDiTFhym3iPW0mdE0hawX2geGIF/AiWlhrujCXkXX+f3N2yaDCq2ryVl8gCKNQmAfdJ4P/saPMdvlNAE0FAZLgPLti9SP5Uybki0Dl00HU3SRPoI0mjRfdupSmZFUmJspOhbDgwnKVjYcqzdn6zuKsdHM1kXT1n5KiwXmb47UXGGTQxCP/Y2wiQeE7W85Gqf4k3ZrqSBumu9Jl4rQdydKOMVqQ6an+hHwKVYo/xeItcmYtJ0EGbGkhWi3BZUcjhsSP55fytBWITR4NXYXtkCdxEdjLV2NkdYRjXETQq95qL3liXGUp5re3FiZkUWX4vR0/Ir7Uuq0rewdjWbNxll1tU+PMP2Wm/i3fXj6cnDY= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZGToRRtXYY7nBWqLfMTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bF3kUrB4eL2/2E2FuskGt1YalrQBnXtrRHXEd4boCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwA7/ZizpCRFK3vXLNeav1wIZJ3RPRgGKcTnQ1lXgdH8bmQvf3SygQSZnxLJ6lsKw7HINVY7pajeyfEEcPsAgPy9N3X8IQ3zC3qZcEuPtMkisBZ9MPJGmHt4OJb+RRYcPqYktV/LuurOUzA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2521b77266cb0171

Extracted

Path

C:\FPVNZIGVC-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FPVNZIGVC The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/88a4be4594e7b69c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEIBqLzCpLQsifA/O2JssIPRjUXRRMZ2Fs0B1wWeCXXi2CceAdt4tobvEoxdIIhgkR2yktfmL2R/Q0Keg+rkAkq0LoOvAEGIVH+2WazZd3zrBhqRCsdXyeBlX7HVmgHG9iPIzHuklaFoAruV9fYVknqdqySkw5QUpV6gnxqJRaTwvKhiEoL2N7+6u5kSEqXk1xrKOv3AUOwcXh7bW3C/ccv67quuJ2hScmzPyyVyrkPcUekUO7BuTP98uYNpwUcY9uyojgC+nPsd3OsxBLIqvYB1c4Ez/pZRHKaDQpDAdp9ABv8EBk7V3IeaL8bGoxKzLYuVWUNqfTchgRxy+EWQexQltzKCBw2MoTOB4hphwIJBU8tFJ3+/yHX80bV91ePI1JpJqcx/JVLXOr2of/qycavyJo4xCAKXuVB1FDOpBGEJvBGHN2qP9T213zEIv+r6/Je/wqAOXQS19fS04OP2kDQJuSW2n12oZ+NTeBOicsbYcjh3aV0GYIjr3SpKQzz5fwVu84XgGymJjM258PqnxQW+EPg363lpPP/hXvapE39fR/HBvLegaKzyWdeFRvDGod199ujzulDtl/HwHRwtcLHmorjJjMzdblxYJCwBNqWjUDZIfpPParFpfSO3ZhIuVflL+RnEnVKBEOMgCvSwrgCEnxVJjDEQ1zfzDt9UAVgP48FA8Yvrb0oTa2Cr6lN7ypzCbcr7SucMo10RdQTHfGVIubDRPAHE7RB1MP0Zw4XjdxBax88Cqs6IKSwLaQTcenFEmixC8cH2ktqqVWod96g+MVQZcBwqZ6GWio6bQfCZD0zzmVtZuIF0q8+zlFOLH3ekwWwfeCVy9NPXJiSghRADXDeeXgFvvyTqEloN40wwLihB9WFSk22vf35roR02W1QFKXKizcE5E+KEtbOdkBtDjdhjEix3iGiC0tVcxgn8ROQZ5bpwQ0wR9Ywv+0mXYtDX3FxbaHcM1u6J4s9yzKlNUmL3UjRqySsMIBEUHzwOuDlLybzuU/sqm8VD6uDT6E45iiCwnB7+Ze9e3rCm8ibBaBkaAuA3891bqVCGeFer9FqXUDrB/firhorjGunYPyCe+SX6IZVl8L5E6URQu2weLfzJmFk0mctaQnuqM2Phxthj5x60NoCv9N3L4X6q/j7Sd8UpXZXE0LqnxBNTBntuNsKCq2O4fXWnM/0n8dme0q7+Hoi+OmeQJylIobkdEvTTZWLQzT3KcylRBo8LDBMJmKoyq0+U2Z5gZrG/7Q6bxufTFFIOR2hIWsCOLvILIOVd/EXgkBbewFOub6gFbOvI6p0CZ6OmAhQev2vwFXC5S4jkvIeLE7hipMPui2ahi+bBwErDPRt3eNONlKF7LHYTFgLRGWqJpC5Blx4FWdRlS4SVf77zJFqF3AcIkZddw3K9nEb+sii2EDbqWCJV/vMoP8qEbe3iT9saleCN+3TxW+b8PI68fV02G5aC/3iQK1HHarx3sFcwP1XqBkKG1INFCAf3ACA3XZfmbxkRUcVhvW2vxuS2FFww76sYhc4NH9g6y+TQyKuWBu95vjT6DxxPDVHXv9uIJyoLnKGz6zsCBIlC0vLBuILn2Rkq6cOIBOT6LjRyrOXTL2c2D/DzFOWzE/bfMhsnh/z6WnF9AJQ5GVsayRVNPL7dd1GMKczoUKXhzWsLDzvpmPOhcR5t+oxtHEyCUmLxEAhvFenLedORbX+KYpEilnR39KEF86mxMSKhgj/OolUY4uUQdGaID06gkLBpozP6vuCwb55LtxnUY7FF5drC+xhyUb4HOtpuTb+lmuZLSMiKtmwJulxwBOW5tVr2LHkR4I80p0AJEl1ba2P7eKJ7JkseLQ5wPgJrcrCRo5Bc5Wh+aoJ6qgwnGhqzrgDL1T5hMOFH/ISgNhklGr9Vno5w56ADo3VRsYgS6NFan97CAuXDgOorsHGMwwU6sN9WIyp9wGf1SqKf+frAmgVOXmmeSo9/wgzgzc/ynaXt4Jb11F0iHxOg1Q55cVpCdcaMkq2+KslE1iGguGNcI0NTXKzMkOL+hxDoaz3fxdYDQXaaB6goywyAiGOEd7wUXoLwjlEExoJijIpBvs7DhKI81JpDqjzNIZZ6PVcn9+rzBu02hoffcbrvOU18a/HbyA4WHBc1B8LS1rbMgI71aKfZFPFV9efsulsrPYDjdpZwFQoChpTetQ9F4ndyujlC5MxytJ4DLqorOg4ZHOjviLKYMj+wnj/z5y6mOGGIIZwlEAI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZSTo1RsHYd7nRWsrfZTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZen+Lr55+lisbEnkUzB5eKt/2I2ROshGolYalqKBnTtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO6JIQJopFqwNEoBhPAnKY+DO5AAL2fiGE1g6xrIA3txAhKwg7xZibpDRFJ3uPLaOb91wsZMHQSRlWKajmS1hTgJn9imRHfzCz/QU5nnrIultmwrXJbVczpPzetfEscIsBuP3NNnH9WQ2/C36ZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/88a4be4594e7b69c

Targets

    • Target

      72311ef28d4b489360c8db938dc45650f95733a8ed316f53a759b3928e8e73e9

    • Size

      139KB

    • MD5

      4fcd0d13ea669a83a749ae5bfb098ca2

    • SHA1

      2da8e7cc5460aef7e6b97ccf13cd134bf1903d96

    • SHA256

      72311ef28d4b489360c8db938dc45650f95733a8ed316f53a759b3928e8e73e9

    • SHA512

      5ea08ee19b0d8a1fc79f5462e7725f2a9fde79354f89929f6dbb4c7fafeaa2151f96d7cf7e4520ef0d3c09ef941fed334a272c2ae8ab028f11c29d5006975b87

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

1
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks