General

  • Target

    83366122929164c8f35fccad65a2f7b0_JaffaCakes118

  • Size

    183KB

  • Sample

    240530-gkk8vshf82

  • MD5

    83366122929164c8f35fccad65a2f7b0

  • SHA1

    ca6ea17dd6e85ebf638546b967e535995f5fe58c

  • SHA256

    762767ec5af85af701088d29480b761fe53275c340734b99050500b18a065ae5

  • SHA512

    0d3ad8799e36bd94781208637515c4d9351b4c75aaf82ed3cf2f16b946446357024eaf7ff255b88a0e9e33c1e3f7725deb66990519ed63d125303edb082d3243

  • SSDEEP

    3072:n/BIkrLUkMZ2m7ksIS/bOpd5kyqdGev7:n/BIkfUV27sFbONkn

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\BWCLKMXN-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .BWCLKMXN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/244ce4abd72ced48 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIzHGXhjOKiEOwvzSZIclGbbBGisqzPcy73WZJAf6I61E7G9xMDfJ8iiiO49gId/mKDlD2rTRlCIRJ8x/Z8ry8tf4ursTAHm3lhhY571E1CUQhHIJac+WgZLvm+jn9aXvJBBX2Qi8wM64KaO4NYcCN8qwwEDcECjolGQa3CTfiywO4sVr3NbDWBip2hoPTzCDt2EN8HAcijmtQsYve5wAIiloLMWK9DYx2G0UGpxBg4CfqGHoZX/RyUb3lZiuT72FK1OSgSCHxCxhZsK4/R4a4TQgRU99W/CETTfvw0DJVs9p2ujoCAk5LeNagk1UhVqfUBoCkiNxxWKrJsexpX+AT7gFeMpyq+FcC4E1lfAwaNWeqwobKpNK32CFrtdVzrU+e4PnB+6Q2ZlRgPsLfMgUkgWkCjI0wcauz9BOrZdo8DPbdkkvL5rWI9k4glNLaEF66r5s2jxGvHo9w5WR6KXl2qTcUDcs3Oc6yNg3nc4Tt8pIME5yDDPRrKTWEaVzbz+dkCLViE+SZjQQ0+smPVmxUVH1g4xLX370lQvf3bA8Pg5ZHhcM9Rc0CAHBbkBnTI16S13OhtLRf4nrGhaIiogofzn8jZFBBufB1+oqzm9Hk499dadY+BnG6fPgwhaLkcIQ7//X3IZTxQHdv+ynndGxp6l4pr8LzqrsL/9aA1FZ+wobpXcm2iKTJHdBzx2i0r48KiLGbcjR8aPqOzUV3LNVoycRuz5qWm8vMEU8gtErWaLFwwUbyNhr5HjIN0uJIUu4MLpqVJYl4YTcZ0yTau38Y30KDnaVJhN2ceQ4k936cvq/cTlnzp2VXPAUIdwQ7Obdy+L72sOWxWSrM3L4zXtcegV79qb2+ZGdQGKGfHt55JIMGuJAwTwFvZxNgMv5QlbW+NublAZzdUd1w5RzOaGe4Rw+KTF232AWUspPX56Uutd54wrKreGyQCukb/cmHkP3Hrq56UFfTxl9LZY88TLMrKyvk5yWvaUw6z4bo5FvplVHbI9FqkG87CZFw/UTEA+ZCTgOE3oemNydnq6WYLuA+aUPqr0X3DkYYJIq8i8iZZBf+CDsWKpiKF/NEKspE1n7RS3m+lxmbdNlREnUWmHn0u5jJ92+gLs3x3UnYRR26QLmTErJ1FtHsouj5IsN7cRIS2l13TJszAqnoGB1c1ltMOIBKZcPWctbCmbAbzL0MBdL2HXjGw873DsKwgm2OIMqyVcNFjc2u6oJkZ9/5owvBhfXpM+/8kghOWiKdTUtaDCiV5HfJkEYoJWmWQRqdE3OhDf+izeGvIF/ty/rOVRRhyo9pdd8bOGURyPRYLP5t7CjN+Le63gBKEaceNTftAzMDS4gnSiQ/AxWYdghjvoMX/9o3+ZfuzfwXig7dGuvaf9Pr2fMIY9hATu63I5pVrxj6SqB1/Pkhdtk14u/G1sD692+1ILh3nXnFPWySG/wsHss+h1Pb4Le8N/GRd6YMd7Ei5QqAuTfaWVyzj1KTqQwi+AK+eV4+RSQ2sHvbDDTzg2dokKaMT6XYjM+EXeKSF99Pb5kLHn8SsNJuAP31uCJGJlJZ5I6mIK1DNoRhCrGlboKAXoecbRKaVckzsGn8qRD3ydPguz4VT0TpP0RYwXzqHv/tHWqTgARwMmL2bUBFqE1VglsoQ+2pob/11x8tv67kY6EWBPfBVkuhXuRgHRzd0qii8sbyg79Nxwuq/VtuuQXsglEruDLMnxdajRJ96mBc9AGxY1bCSAOpg46RsvMQuoLFLIY0Mp4XndifV0W5kA089FOJlnBncR9e4rXmjXVzcmnBBrewziHWLE0bQ94aOHTlVqE9SrZoUcGYJEUsEANbsgU9TGCsupau/1iytaYbSoPrm5hA7v/uWa3/9wv/b2g5WvAxlG5lBgR2iDaAatDsNXsZ+rRu1IaGCPs5Doy0B+lZ06xQK18a1Uw8YayIfPjVvH0NQDNQfXDJPLokQ+K8KY6tl9C29zEsOpqWr5nVdiOyfpXgpxSKUK3+ynPiWkKHXHyYu8XlDO1NySpjSr7JjMo+SIZAPyajUfUXSgIUg78XomWip1454UQZGeD4biRNocJC6wVhCTMFaMWBF/8B8OoKKhxRqPIQHPdEhLZyU6QCQWzIZyL7tIrMCLi7xK7oKnFrS2c/wMj/biMQVpqwJuzqco+fK/oniik/fKIC0kezsMblspgD76D5hX69XQClFfSgfmcRrYMilrfOmpI15QapZ818dlZW4TJTimGTqN0Sw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD19MTJNZDKAvSVpuDLRW3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBCDBtL6JLtBYBiBq/8ZsR7S3NrHOmYeR2UfUP93y9PNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrtIyoi8D1fmlXTmY7ql4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVL8oqLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/244ce4abd72ced48

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\XOJZHFWCA-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XOJZHFWCA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1096be7afce866af | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIV/DRNFYpueZZ0JY6I/5/wq0xy6bJbjk4jHRHXFd381xWUkAPkIk5ly4lGuxFP0SfmW9E73ZQeXyIz6p55ELoplwP6D5yUVLefzivSUORz0bdzIJyMNcrwGDXQRFPjn74W7uD93eufXE7OVLcyFawF9sVw2gq2t29olnN8p8uk+5LVEHJU7Y+FCWzpVj8DTcIYjolkWC9P/Tk9gooVRFbZzUFHV/hHUeewSsajDdeuyqC/TS38WEg4fYX8lV65bIam3EviC+DZrpP36peLXeE8Lmb3ISM0C4nYKf0hp6fw2PUSRaS1gjRMQmxRBYAVjiB8A93+fd4yavC+tZZDKij3gWrCQO/xg+f7cWtIviJs8lYaSowaAr7SqoQKpgTcEXhhRG4CUZLvT3tTPDy61R6Zm99hIxmIEB5AJFIWKTOUVIn5BwdeY8+pysFX01/w1rUVtFZeOIDq1ekpxMSny0iLv0w0MFKAK6/j2w9bI4/URRiK8KEV47JiXQoNvSMXS0OP+Q4Davmf3SRxWBEyWw1EWmyvhTlzFZPZNaNnlFwBGXu9uqMAqah4iNzepdqCwoPrDHaoBnYC3IJzfGMzBvBt7xULNCAvb+MEKgtb6SjglsR541hqNtnn3bj6/0iyiXamIAybbpie3NfBELNw7898RSKPh8NyyZvfnx0RxBXAHbRGr5x6y56/oNEC3RYNWTcYQcm3BEsuB7tZNtRwWB6hH/YnMHWaOdJ4REazV5/riG/1IG3gITlKD7gkkENwQya/MSR7zjWrRlk2vYBpQE3gH7w+w8kxfm+3tJP6AK87PqfQvnj1T6EpLAKf5UYrGepes7MQDHXZuJxrMJL47yi2Cxc0A4ggLzk/vuizqERpI6RMwC3yn9A2NYivTdqP/Z1iRmsqCZ1ADNdqyvyeoVrkL3+6E2qYtkhknRNEPXMXFEIzUXW5FaN/EX11GLBG1dueZFSAKv3pzxtBLKEzn9NS7XlWOcHrUUTKmaV217gz3PmFZhyfB7lK5gOkqrwx1ZGkCo9iEcMfDa31NHXXbhTj8j79mULohIgA5552bZ3bUsDIBrfNbr9vOuGrpB/xaedE8vZCWQnkSyE2iUbUP2w/xuGitRlgKuWl1tPAJTQSMLfCKL/Z+ZnGrNeufv6Eras/pzX8lj+GnBzE6oXmmH6fT3pZytv6vy8HqLtVl8wfm/AiVr2Y5U4SxK/0CBvqh5ZPbrQrVCG+MdkaPVo6LGh6EjTAwZWpyeMw4QrYzeaN5xv6mBekPfeUWXl2yyKroYU5d/qf/G2oIy2xsLTfCXuztUj/V9ueaFVuKmUAflxP7S5B2CODgmdAf3UK96Z8DLvv8hr3ED6zqjkULwOtWxzUtZhszBVDu67L39qj5qQ850aI+3wiXAB3zJh1HXDpX92PXOj2GVGOoxlEGik9M3ImsZNumYmE1oCBF1IcXgh2RivXoNS89HIByOtepKAQMFNI4Gwwzx4kUy0bFaK1LA1k5fncTVZnVDC+MW4JQJtgQBpkSF0Etoph3KwLMM2HBIXyVRz/71l5FZv+/+H3da15zwo+1Sn4qXq8XIjRBMfk4jAzWJz/Ocb2ctHBTebswu8HworCfgdTnlRN8cCA0Ad660dLRLVpT6ga4IyJv9WL6tobInwi/feq8ieLXkPcATsnYc1ZMWrWulS6YQjMorfoRdMZu1Xh7jVYZeumkmnIpPO3d1iXqc8Nwg7eZmfEfrYY9VAhaytwm8CLRV9VKWWzUhv5tfccUKHGVavwCAs4KB40MkRoO0OBiIt4YIrvwviprLA9nFv8R/UDjzsQBcCNmgEcKzDHGWXjFYdEvvcttKlNuZXVlvW/bHNXlHvpWSY2ANyh4KS/CDrVEIjbPwISFYg7Ydi8GJdpVuX5IW7Am2QWf6N3Yp44hVnJpg9Aq4rosqPu8TZkOiOXZEqwYzCBB/k4604mMazv37ib/idSKdxvOgAPuYbSDNzT/Kb0gu6JizSWo2Z7cJ7sDXpMmTdmTHD0DJnnFBmfJlBQ/07XR0d4SMjY89wUSkO155Pu86dggDXCID7VWXdzngSekfPCAKHfYSJ5a1ikiwrJ61cyZ5VYCu41RukxKF5wuLf/EoZxoeQvK0oJoGnk5dUF8xfjTrhsvXE0VEHnFByWfeuuEOmzv6S+qiYjLPizkC/0JZEbp9Jd3g75DwIUDFWfXvuiQ6Ufj2YHmMDShqIlxqBDwfOkgHNefqi0ToRXm6D+W87iIWwY= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD89MrJLpDRAu2VteDURXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJfNANBi1qqMZsR7W3NrGdmYKR30fVP9Hy+vNjLOXjD6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fulWDmX7qt4Aew7gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QTe24EznTbCqfrOdcnPBOVfcolLq8b8AmacCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1096be7afce866af

Targets

    • Target

      83366122929164c8f35fccad65a2f7b0_JaffaCakes118

    • Size

      183KB

    • MD5

      83366122929164c8f35fccad65a2f7b0

    • SHA1

      ca6ea17dd6e85ebf638546b967e535995f5fe58c

    • SHA256

      762767ec5af85af701088d29480b761fe53275c340734b99050500b18a065ae5

    • SHA512

      0d3ad8799e36bd94781208637515c4d9351b4c75aaf82ed3cf2f16b946446357024eaf7ff255b88a0e9e33c1e3f7725deb66990519ed63d125303edb082d3243

    • SSDEEP

      3072:n/BIkrLUkMZ2m7ksIS/bOpd5kyqdGev7:n/BIkfUV27sFbONkn

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (289) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks