Overview

overview

10

Static

static

3

6c02819d4c...18.exe

windows7-x64

10

6c02819d4c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118.exe

  • Size

    128KB

  • MD5

    6c02819d4c8f9dd920e0368588e65ccb

  • SHA1

    59b2862e85e0f030f18a7d0c07fb2dca2d5b2432

  • SHA256

    b0fbcec8c22a53492e24e3cd38e32af4f2d3399b1ef71f6cef6d58bc692957f1

  • SHA512

    574224d3e29b8b1649666cec8fc91cf7f7b84ab4b1c4e1af9c82da4bad553189a94de5f7e41221401f1434dc191c4d052194ecf3ada0b22d2078e410a0660dfe

  • SSDEEP

    1536:52YN1nS9cCY6Vbs8P+TLtXBcGVyThYhqi0sWjcdhIS3FZBq2dks4QTg12A58AQpE:xNQDVQ8ujb1hhhIS3FZBaCgrQp0Mq

Score
10/10
gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/64259031ebb0cc77 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOQ2WpQlaDRZ8srbrMbj27kUoX+wdR8LhKU3nbYp3X+NozkzsvHdPRNMBNY3c/S1IYWm9j8JB7XC1ku6LnJe+gqLyoODMg7JIF7rB2qlb04Ux256l5G4vmmio2MtAbtlKxREE6dUugXryEuRFZ/T0IdrRdL8s58YQo3cqF5ApUUDsGayhot88UyeXmiY9j/T9hPaR3piMfS7ptLcu6rVPLoN8Xm3cOiGGRjxNm8GOuHmHdYeezaOQDd8BMg1zEzO2fJpf6GuFfdaVRhfw3iD/z9qIAXPg3Q3Ruv4Zc/T87JU+Sxla4Dq5WMdVFbHBHTG4j+jjlwfP4gThU8YIp9QEK9NClKP0jeKUV8Kg3j/vtop2lGvydcMWW+KRKvB47F/AnVXR/Hwt4KNp9fyqJx7B92Olits/ZysMRdQXM6J0v9eUHY5L5O5BL2KmeBU7oEvmCHDo3yul9Bi8yHda1BbGFYUSMzxxbSFkUdwiq5YEnTXIdBohP9qZTwURthv9ba0RmJPgphMSk+oX01Qa/EbJ2hG89Eh5YUFKQt76Q9Zz/5ec53LYKivrAVz5jVlaLeBYRk4fhysZ5efKk0W41S9lWq5LvSsohnbRjITnmQpyWJDHnF2HWOrdy6sVgDyPxc78CxeJvRSH3qds5BvDV+IS+uUMWuQckh5AUQTtt8VOXRvbxyEEgyHZ3ghBkLb9Yw3ImGZLjeCEhRuDMkgSwfHcJWRbNbfBDIWHoRyVap3dJv1np/EwtP0t9KZ0vdlYvlfAUsK36UK9pYkpGU2HVQuXtMRw1gkrjEwm4GH2cfQuDonYg5szoxuwaU41Iizk7iSTdwRjpxWS0KYDyBVSdBVObQsChyFkSP5QJCisbucnb3036jB07MTByqkyCXjRGA+K+48wgvff8brkRqgMfynshwjauaZanDmuoDD5XOJZRf/YRzfgFMvdZ9eCbQyqL0Hh1r0X2Lj2NAn/GJ+7ilvOxN6az9Ryvt0NewOueHkoWRkwhGYq6mHJepJJ7TdNz1Yn7+b/KGP6prMGEPS/NGU6kxv6cUYCWUeV3boJsqlSJpUp4TuSt1D/rce+yZVbIqPZJb6DTJ4IJdJmmpQ8/Tj9JZUQVOK5PswpX3WYbdm3P8KK5approE9+xAPZSiDbYkQIr5g9eIdi75u5gqotflJfKbw0A5Gd8JOS/O88LCnLvmalgbSDDBbEJVxLOSXrBSFKULvG17YLBCVkEObpMjiSXcCFQTx0fiMoca4jJTf2O2hx96Ov8S8gl1ahjG82njRIwRijiRHTgn0gc8t9gsse6BC//OC75Aaq3+h4GSn1WWe9ucXoTZQyLjmhOue3ljQWAjMDbk9GiDfnpXncx7iNeaVVxjXDNRUvvcA4onO7goOvENBGXkq13EACocxLjlRaskJP7/VgTb5ThjAfQzY2yw0bxeYbIKDeD2ZSsuWxtWGizo1jWTNJ8FaNhXF6xfeABGkV+fdba1cvf7ByyQC+Sh/pdvHg8OZwpAKuHme2ZDFA1xdF0VBPYTZ2sf9TPv7WfA7MmKK4JaM5i7xWjwZkfyr8PalJ/TttbahHlJ/83rZlxJJnGBWWK4YNWWkHANubdtAlTtWdvzE0jZXhyrFe2fCFl0LAz3Scun1/lAxU9lulOURnK5Yn5jc5kDwiUpEYr+HTj+I3rTcmRvI5/USGpBTB78WUnk8b8Y2NP3Adta7KFhZ8yitNIRCrYyCqj0JWqF1BH+k9rlXqJxMDFBx4fFV2V3fkpCmQp7nwi4jInr9JVH8ir6WdPMmRiQVp5TbRuQqx6JztQC1fUxNQc9cOlQxFGh7Cv/T8eZace9LGZG9PpluA+q7vJ1MTk3wxOlp2ZDTnWK6SwlAoLS+kaf6lAUoj+PJ7ZW+yCnBZ68VexIXh9nOR+FJaY4ZkUs99rLVGVFXs8t3VaiVqiu+XQp4wHhIM8NHJJqTPGxgzvVWIVjGpRB/5cOmra+h8ct/B9p8yk7UgUIbeMQDFBhdWHCl01EWWBQTd0he2CRII5FQPqPkvs5bJ4MOwP9oTwjYH4rSj19elVjePG9favZMccUd4/FAEPyPbTiaDs6Nq/1dncSPQ+Ft7GAb3WBX0TvWNVjymI0EizDZvlIbJeW2oTK79rfLJdn2d1r6lC3q0J6gd/NhILu0mNFAETLVQ+bmSNcXkqqYqEE65AiDrC+xbTQM/13tMbmwQI/QRvwLGgNJc7fZuzKXvcmURPolHI36u46wOpkRNI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZGTpBRqnYO7mJWsbfHTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5bF2kUrB5eKt/2Y2EusnGo5YPlrRBift/hGFEd4bpicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi/pDhFJ3v3LOOar1w4ZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMZJH8HowOP7+LRYsPy4knV/fu67PNzMb9P3YTh4gzvuwKRb5tB/+FbmHWs+IVXo5eMNQ99BNhaVKZ2udgzWmELVozygtVfjv5QmE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/64259031ebb0cc77

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (321) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6c02819d4c8f9dd920e0368588e65ccb_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2240
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\KRAB-DECRYPT.txt
    Filesize

    7KB

    MD5

    e8b00c3c071154863db68315aed574dc

    SHA1

    b249eee2da34ec8beec0c3725f83a34c74383c7d

    SHA256

    2685952e163da8141f6780f79be75223ba868f35e23be89ce6f6067c7c1aadec

    SHA512

    eb26baf9fd51b1afe8d91ae8aba4e0572756c74b36d4b210c86853a7a8fdbec636f7e8d671551b8ad27075c0b444feddc13e5c28b0738b33cd1fe8b5ff0346fa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    376b3ab98331e90cbd9b29a12d17be87

    SHA1

    a4ca93f1376b7d0f758da4e41aafccc48434c443

    SHA256

    26ec818e8991fce67290e1b6a0396ac917138fb920a68e2e6b050c309d927cd5

    SHA512

    6e52769848cbe673d0cd150cba2f5c39186e08b4b0740b7c96a8ec40eeb6e3408bbf12c28707d80c72746df3a9bc8bf4f982903623955fbe1a1d294e46004b15

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9e7474e491605ac2f65afaf896721bc2

    SHA1

    3801cb7abf55d36da90de446ab2afe5a95fa6630

    SHA256

    3f3c7278c6d53ea205e95f26ecaa5baba45f105613a0cd03b88cf315ade27f00

    SHA512

    86cdf379b52302724b3ed50b37deb46db2ffb8b0dab77134f16ed406850137930ae4755323dc95db0d8e33b86181195a72378cd4a77567c5c339ef35866c30d8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fddc38844089e0bf0fa4da4f4100e3fb

    SHA1

    fa80dd810d88ef555ba322f0cc95bd2a967b1eea

    SHA256

    afcd502531d62ea266457d419a2ddcf191318b6344505f31199224d6e46e4ed2

    SHA512

    bfb9054d26603861e9328378c51e27766db2079f0a2e02356ce7581fcdc074a764a06b7c10964b625d4ce6a39808433fca35256f1334d8000c7773ef39fd6a64

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab24E1.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar2777.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit