badrabbit

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Sample

240324-vqcqkagf5w

Score

10^/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\IQJYNXQ-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .IQJYNXQ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/edf09d4b6206e09 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAI9KSvcJiWYL/Z71xF07Of5jv7Y1ycyBr7l9Dw958A25C3TNDU7F74Gu0aZjsNEkHxWCF+xzv4qGiKl8OZ/7BSXJaS6rzoxmmpy3CcDPLBDvs1TzSlA7jMNbSNvT/KW233iOpbiC/xHMv4VWxDHloYs782ZHgWtDJ9Bcfz/0DSUPlNHGQ0gIeJ08mjSAbi3V21kEm7xBYM5PaQoTEoLBH3i6mc7PlYLGt2+NtUzl8lv4VuPCEYDDxMTSN7IXu00A7o5au1eqif2jbFya8cFE10kZvyQXCkeL/O6D2vvlIprSD9WrvBZlZ9lYN873WUDobNg97rY75071IAx5eyy4iW769AZafxqBHHtFhFv1VizC7gYQHHvhB6QtuC2D99nQ45C8uMtiV3mwQkp87EXzDjJ7gQP98leedKG1SJHGeYubzjYzabkSTk2DlrLWxRlJa5BaQeFL1kW/Zu2ftrrSv/225buKVNqowAR5qsalV0hqEIcdEBBzFLZpNcjh2Wr9OgqECk7rwsVL+TVWhaTlcLw+kMMy+bR/+BlI+niSqZXYn8YT0Bwb2aHcf06nqcUUvXb8giLn+FzpCysuol7NTAvZ4akKt91BHiXmTH0EsjJMxLIwuJIhtMNatIYNoFb/KbVd/t8r8acx5OFgLbz56AfSQuc8JE6io6HVCVtoPYkV2MvMxdUK+lqw+AarzoD8wJuDX3JCsxsRoIN9h4iyw64uKa1ArcCD5JGH0Q1u2Cjtp4gX7rwt8CQEQTf/Ytll1PVU+Fagm1QydiYyBQwR4zm579Rf0HE/BLXTERkNrJXL6K/fsd/vjhYIGUdOUt8238NAxI4RAADjpmL3FWULq9cIR/Si6CgsWusGXRrr0EjoCFsrHZTeWvTBW5yLnz6VLO6gsl+K/zqbglNwq75dx8QAWiiLTFe8KbZEKFA862ox8lhdZWnXrE42QB2Saddc+9txaY7FZlCchShruuW/AwP8mIalCBCkVGKqARVccg593bHhfg4VvA2Wu/yB5pyg0D1T3kw3E7+P8w4YCDiKndPnUHHG0On9tY3u7dBfGjvRA9MKFYwXDBTyxJHBJV+3ia01ghPwnx6NB9FZUZ6dol6pe7JGuoeo31gjb0mfnRpcK6O2hbGFGbTc/aZk+wAcMvBStNvNoT9Fn1IHsGVpRhL/AnQ2hEQPmmVR1Rc1Y5MO60i1ebVGTH8eYdw5iUWxAAki/5swqnC49mJMZe+8vG9N6WMtPZWuqvDb6wmwniSfYMrVWPj58AGNaax1cdPr+mAc//pm08iRxhwLVEFFkmc1qSHjjLfRDTcu0f/nljrXeFiskMHXQguoiiUJUuFvMl+QpzhRb0u4YWMNIkB5EhGyx2buL5PePlTTB2Z3VgIeNe2th1HDtdCZG6Ms4X3/6RG2IOb+a5rU1WhLaLiNLuCIvt4uZ5nnL7JwmAXW2nWpzzFyNdzsLv663ZxGx3tKTV6oxSwzMvLvdEdc6Uy+Nps+alTK/aiKE2bGnct5f1r5ZeZZUEa+Oi8O0qMq7Xagk4HELnjvyxIp7QgPKy8Hevme+nNDq+Sztzf0of+InsH+kmJ4OcjdU4eFef6UB8X+DV1kkrkKJadfi5ZvyqbxCasjhxcPJw7SAX3vet4cq5rsVGKckOzhTYZGizeUcvXntzqgRyLj1dc+NWSGbLgMF1+zeFUpsyRQt3UeNsQ2yIAhw41sm0AadT9WIcVF2wCFJh9NqD18ypp+2VbiGBg8QrwF+WZlYIrQoTD2HM7KasuekYCx5KUHbdy1jlqpdoE0yLo2TUhDtT1e8dcaTLeuapOW9bmmvqEhNILs0kXUsTtma+qX0SqPGxhv3SuShx4sfbZsjggbhbxim5J6lxT4tB70HHB4fW0Vu/Y76sBWtw7K09/h0ZiG/RiRfIo/l7hlrS7pCiA+62jbBVYIfVZZo8c0hX3pAlInlaTrX/oUM40RDSXjWr120mHUTxSV5EEDY8bTAVKFmJTSQMUX1EC6/7WCIwr17SYi0CpE2dOLVuc4IGgae7/Yo23L76HQYBhquSZQkn7ROG3oVuCvVoUjAL6zPCdb8Jvy+cRlUXf2uAI8DTgM1v7QK2XwSVicOhd2UlCZSWuK28iY2bttPTKs8A+Y5Yj8MierjGjMoln9CQbdmMfGq42PCs3Sc1pua2u7o0WduMIuL9xQrJhsE6ydjlorwuotZihs9YQPS56WUFb4vwbZ6+UMzn9sfqn2hAnu6i8MioE= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD79MjJOJDbAuiVteDPRX3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNBZBnJqrsY3R7S3NbGemdKRjkeAP9/yqfNlLL3jT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAooTbFrZ2EPDix5ShBudHoMloO6iOVzOm2qBpvYLwDrtMyoC8C1fKlWTmR7qZ4D+w6gSWwQUzSb+QfwNw4LR2j3Li9wF7i8TPbKPugg42XWKf+7AkXvCaiiYFEEv9EtCM4ANvhx9QWIEz1UEGNybGMOp0F1gg/+uQVe3kEm3TdCrDrBNcRPB6VJMopLqYb8gmQcDmVvbCVEY+sVLSKnN6aP0Iub5o0+FHLc3/SgKIMDArFyYH6qAJw1UaCxMHGs3USmw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/edf09d4b6206e09

Extracted

Path

C:\g1rFryAhrVg2xrt\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>JhnMGdMG0os+1xx226F4s3P3g03ES3NkArneYVRzrVZDQWtc9I1AmtcQmBB2scSYlDNP6/Zwic26VKcT1C7C/78VFIOZVJyH78/qHXysh0N857lhQNvFnPPs9Dh/1L5wAk4RvLS25mLpmNjj+KlQQO6SHXcv31o3CCKtrSUCj1bjbjaii8DElfu4iPs5u81rLx579ZdcFMUUw0UlRpDY4jYX9G9CEVIDFI303EdycmdPfb3yYx/I4u+J2nN+lxSgQp6JOeZRUk6DpdzMEljoflCwkv9pjEqQ0ugVqO+65I1zL2pPUpiddQibF5L6BKvwVgd7T5nqICQZV4eeQYmdkw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Score

10^/10

badrabbit cryptolocker dharma gandcrab mimikatz troldesh backdoor discovery evasion persistence ransomware trojan upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (438) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- mimikatz is an open source tool to dump credentials on Windows
- Contacts a large (1140) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1