fantom

General

Target

http://www.e.com
Sample

240402-e58tjshc36

Score

10^/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\IHBKJFD-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .IHBKJFD The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/ea2bc7585733c084 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAPvNoyYA0B61jsMtg2FPahX26suX1Ea3HA2qr/nWTy6l4vOM2u6LVCkmxrvBE7aUMsgFYB/KzvvXnQz1VMukcmaAqjWcTyajm6kBTOe3XoRnaKRkrkP7jihZZiIBcAY+kBO8kSYmOpOhN8vBXC1c6NH1KXR7k15oL41N6jJn0ZBYlgQ5cfXp+YmZU9m4IBNv3ZJh2Rqr2zb0E7KAACfZ/dEOSPzhwgRl8jAfJC/sDkXo3QMrpfyuisx8kzDGb6UKSB5R/4XdLJfvZxMNVsXJGaW2D+MX31+0xc1EQnGK1RQ0AbOVOBXuZZ4r/LKSr5WqAnjHgnYVumAe+J86Zaj8a2iDAxG6eybyhMdUN67tIUdxgP+iBsJDVRdQN2hm6P3xmEYnArCB3DQdum8EHV2gORIQxqYG4I6fu69W6hcm+RVc8YYEDDwX0+6ru53/wMJaZanoQ6YYBfG4JO26cT/UF0rqaNRetFWSgTMVxpHl9yZZ/rdtsKiTzOZ71xAQOVqIeGJxGEY9AZ/68NRgWj43QxIU2mPwPd+2mLz9L9+hyPvybqO8TjhElqR6dYEXVqn/BCIZcp3zb28MK9cZaDWIRAsM/9xI2+2L5ewqDstocIouhiE4Q7c3YvmA/sWpYjfsi/9JRd56XKinFsPg/x1N96SAUeJAIBX2MJTk8yUBQUAew8SFnQTK+3cDV6fvBV8l7Wlliwdjxke/P4YG4jkzyQHUQBurJQ1L0vzDDCPSDFXdFpDD5MfZoqaqZ2qakcdJLSNKtsltwIOfahG3mr1oXJN56hW2A2A8q9XRVOEDafFC8PJrUJ1vQPznuI+/F9uZ0MsQEtCzRil2j08NUeiQUvhHPF1XiyaQt/PjSTrjHY79IkoG0tj785VESKeaDamZ9ZZpX5pOgErgbDmLrqhj4h+b8PdCuiaDM6O888Swj+1LmwTpJVXyOLFhesrANLIeKg7s+WfnR7hnfOx0CkMIzjH9WItR02ksetqQoCwlpOEiFfe2+lWuMssv9psQESwSKRkkXXS2nM2tfz06XMf5caK8tPOKih9YPze3x2xyreBYPaJfUezaIsLE4ak5GDNufEVzaedwmw9MqhMod9y/7FOyzOL+sDAGl3dIcTHfwMLiG088ieJmQeEGLinPpGP+jV4bwRF0zE9N+Ryn9Gsd7ZnQD7HAPYOrbv7vQRfLxAc7CZk1QtltqxWz1ccx9i5A3nqCRQ8bkq5UsCjyiYfpJJs65DYwE6W9N4/KjMBlN1rnGolY8PXsbBkoIsYg3k0HXs2B7a/rJvQdzh4sX3yaKQG+tHsQoIObLNUicMb0rFCP13Pn/teMhyRWeDRrhLOnAxL/CYNJIZ1wfIO0M05GHo6P3wb/KT4l1qST2SFQWXUozF7fKJqbCI2jKcKlftBplKjxlLcPXuCJGdhyj3P+eB9O+rFrbTVhMgOCxB7lf5CuDbDud0AXB4U6msG72N/2qFV4HiqLK9zD2r+v0+DmJfK/YYrvQgFksz8eWoZTQ4Dyh1lGE86DXov+qQTAmVky/8qw8vXTnH37VIswGrLDZhqYPmNEfCty0veCWOhuDWZrYVGvKRVufX3mKt0i8jd9hKX4paTMWx2kBtzXwmmu+W3GbmRk5o9f4C8P1lL91Dlx3g6UFx6crf7L5sYFKs98mtHJ1tBrN8gJJ3PZ8MAJfU14M1QJ4nmk17Zxmebu1cB6+q8Gi5aECXgvlYaPGxmwuQHkHfjRz6r201f5F/KukfnGgCr1fO+LQzGLTV6ez3AKhLe5ltWSN9XmWHIdNlYU083bTza1hus9QLyP8WMQNwxyBuZ+87/KyO1kIEfNtz0MJ+e3+joYqBLonMAQu/BLFgNYt1MneZUuSLcWT2ALSwSDN9xRVv8RTNoLPHZR83j1J66bdOnBg9v+FlN6qHDUAfvnrrNwggrfTHqB5PuiN6SJMEkw6AtES6E3HOXhKfPNwurKNvUdndufQIt6Sof0RtMERpgLMEqnFAtU4fXMlathTNMEQfmpugwnhAs7fugLNx4CMVgvXfNWqatyCqSm7uctXzPLdjQmcGGy5j2MpNROlcHObyjDzgBd6cI1WiSHYuBJdgh7I/HQ41wQbIXEwrv3GCZyBNA1dSb2rjqySK2HwP+REprp8VptOOgbHESnFanABqmLDRpUWp3wVTnfKUqEPuJTvAnzjwhY/bNxdTgbHrhMzRqKz/pDyHb8oy+PczpC9b9mWaf/CHLZkf8yJMjKxgs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDx9MbJMJDTAuWVtuDFRXzIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNBcBiZq/MZtR+e3NLHEmdGRi0eDP9ryr/NlLLzjXaP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtkyoi8O1fKlXDmT7qd4Bew6gTmwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/ea2bc7585733c084

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>bKRS+fUkVLtJInUnl9RYbukcDzQdMF1DdkjloLbvxV1eXU/0EsNmOW268pWOruNMULWw4/JQcgjQVQj5z4Gh2AuFcUz0XGrDwUgsyElLJVBYBxPeA7YJgoAlibLEeLN7dHZMFwEOyObN5INt4y9XNU2iPvRdeIZ8Dge4JqdZ+7N7+tEwX7t2R2E3ZaZidcLCfoPJyrdmF+loTSE5/EngnzGgFHmBI6GebMKFZcdCxXOPq7VlY0ovP/rKsWzV5c0MdTTE8owt4Eu3aTQBCVzZPKqJCZawMGcf1wqQ6l9Zse0W4GI10qiVD9XjIHYDpccOnJwvdOWlWLMGX4gL/V5ksQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  http://www.e.com
Score

10^/10

fantom gandcrab backdoor bootkit evasion persistence ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Renames multiple (1000) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1