gandcrab | 8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3

General

Target

8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll
Size

130KB
MD5

80604b65968dcb6b013d182203e016ae
SHA1

cb80aaeaa2f500d58e390d7d5e5e7f58917a2636
SHA256

8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3
SHA512

e7bfcc6b3495459ca0f51b2ccb4042437e940143aaf2d62074c7f004eac5bbb4f9492ce2003833f661de50995cf1336330b3f42f17ee32ca3004850104fb7818

Score

10^/10

gandcrab ryuk backdoor ransomware

Malware Config

Extracted

Path

C:\JPRIKOCKA-DECRYPT.txt

Family

ryuk

Ransom Note

---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .JPRIKOCKA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/64b3b192f9680cc2 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKhWU2JeL0/oLtQ5QBfEBhcl+B0sswK/Vecc7muDLTqEh20qgemIEQdaqrs1DUFmH9W94USS6FFVrygNIvmVTK0tzRnOClAu7LNug5uT+6BwG+FaX58Tv1zXvxrO/rTAIEJWF2twCsgV0rChvPWkQDCmu/65sjvnAhtkQe6HbEPJhVlkg5xEXsvSHGao5NVmrN0c2Rol9zorMnEcfBXdIDk/tmFZZx5/dV1Jhwi9YiRRovFkrpsAioBN38Za/n4z1e/EObc/SCYPWFxDCyUzuIP1DLNHAdxiewtkNVdraM+xEzIg5t3RjLBZlcFsLifSlDiHwgzOhRyukjV14N0mQJDvRskn3VkuiHCEJj8pc/cwEeUQviU//K6vEkv5SROg2YLWyA0aEUzOLaPWBAJuPLVWtKnjqfIMsZY0amcAf+VKxAX1TMzHqwcR79HxKwR5x4D0W9qS7jGSgrnPIXNvuU5p5cKsLdkn3+KTo2DpMlXUCPpDvA8pt6+xVT3w/PLycsa0OVCbBF3rnrlwxhhMMlHis6JqsE8vGahjqc7Ccfx+GAWonU1X85GMANbeAlzLuzgahxpNxDgahYhkNQK/868EDfblrErVry3iLBwohlM7h9EYw8jzfomY8gUZlcxiFeXwfkKhLGE+evrMvBszlRXw3l3V5H6K3a0UENxCurMfL3CKfWQ7oeo1knyap4FnisGIFCkErwuJKVK3dkISVay1Z1mIGD7ACWCdzz8bEEJSILWIhHCNvmSe052JRkGPOr84ka3ztM1A+QYbfi1/PxAnhXtHHjM2vx+p+Sf27whZCaC/1xAoYwegeX6jjTE2LpPJ7Qd7ES0TbWy+O/UQDQxXFM0cq9ODPvuWsFdcfTFNu3P6fvjicolA0RUorwXO6hLSjJYOmJNzvvGfl4M9ltUTQY6iPJZ/HShzBIDAcPfEHuIHpQE5wQ7NiieveBSsyFxSuw8GTiM0y3G/551vUfx7DqltBD1UchU3Ot3ArCOxejyWnp1O8CfZVqIAD9rQ4q8jhV+o9KUc+yfJcWjvEpb/wkLbHc1osXZItXNSqp+WIWdthLTdLUWfatO02W/ojihIy6wCP7GYKYEbO6s6usP/4Nbn/bi+K35PvJcuPAWz3sqovZEq84yJIo7cW6RA4a/WWpdTioheeNX8wT7mIG6P1fY5pfzZuYqn5dA2RJEJiINZKYu2mYOpUDl60KvRz+dlE24VRTcH+yrCojwqz57XnGofD9u844otW9RKutasK9cFA3gXAXrNe6mrg9wtwZOwms755WW9eI/Ntih1ugPs4ti9pNA4uY5V6t590VWn9NNWpXZKscXcH1l/ePQBAlgIaNbfrUCbIuxBrve6IQ/eBaEV2QKV9cmew82h3QYdF1JCj3G4eU814vT0mFWVZ/u4P7p947XeClBUyScEoBCzLmMVu/kv6VxW29oOBoYLxeA3gZ4oJcv/qqPYcSOg6ttkXi4r0gSsOoJxRAbyaooDu/EYpaJEXDC6wpjrm1U0eGv4oTGp6qPWPlD+ZkM5r4frc6+uLGAOIAqITGEhPMYJLV6PimE/NloXwbNy+7a+gk4bq8Mb6Yxr8PLEmZwF1P9NKeau9G/rtZ7IqMaouw5crStLEveOljKNJGFr7thKiIqDtOqhxtTyTrUXtUeo4k8JlZdYL3bdMxlyJ6E8W0vJWdBIBurjsubEU0CTjJ9BgQqMQiLcnXmZQf2Kp3tThCUK+v8ACPznqo2XnZACusmmHSyYcZ1RtoKi2jQe0g5NzI1xLKy7Ddce1VvKPRJea/x3GfLEHnZlyIyQ+3xZFwTen3mCj6RkoukISxM7yQXyC1iJY/ZPPHAkRCru/kqPRLz0VnCAflmPI+w9qiqjI1ee4lHq4SAAekaJkbHNJ53MNBJ2DFtYSHN7tFiyw1/MPtFrR5AxxsESgVntgcV1j+AWi1BJboIuXMgf7c1DjePJMUNKit9lqcChFz2W7Kpjf4RUR5uMna7CTe+9EFK4uN65sPcKpRhN9QunKb6qL8W+r7I2ZeKx6CY8S9OlGURoar/DtoA0fD0SU4SIm0Bv4xaZoGTJFt25FKUIqa2bqOEuKltH53bmRvaHn6ZwxFXatVUzbuK4dCKNV9//b/071fhA6bLdRYQ9O4kOLI2E6rgfsTxIIQufq6HV5q/waVPDgcWp6U/gKZIMUQZMZrcwjGJ0/3d1XcVzRb8ulCjszx/G4PMNgn+3GysGo3BXAvi8OdwBaWs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZBToZRqHYJ7ndWpLffTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5bF2kRrB4+L2/2c2GOskGo1YZVqFBi/trRGFEYoboycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwA7/ZinpDBFO3vzLNuau1wAZJ3RPRgGKcTnQ1lDgdH8bmQvf3SygQSZnxLJ6lsKw4nIMVY3pajeyfEEcPsAgPy9N3X8IQ3zC3qZcEuPtMkisBZ9MPJGmHt4OJb+RRYcPqYktV/LuurOUzA== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/64b3b192f9680cc2

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\JPRIKOCKA-DECRYPT.txt	rundll32.exe
File created	C:\Program Files\f9680b21f9680cc5214.lock	rundll32.exe
File opened for modification	C:\Program Files\ClearProtect.hta	rundll32.exe
File opened for modification	C:\Program Files\ClearTest.wax	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	1916	WerFault.exe	27

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1916	rundll32.exe
1916	rundll32.exe
1348	WerFault.exe
1348	WerFault.exe
1348	WerFault.exe
1348	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1540 wrote to memory of 1916	1540	rundll32.exe	27
PID 1916 wrote to memory of 1348	1916	rundll32.exe	28
PID 1916 wrote to memory of 1348	1916	rundll32.exe	28
PID 1916 wrote to memory of 1348	1916	rundll32.exe	28
PID 1916 wrote to memory of 1348	1916	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 280
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-56-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1916-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads