gandcrab

General

Target

RNSM00315.7z
Size

14.8MB
Sample

241112-xyma3ssmck
MD5

9596ff4b5a2a0f67eaab05606e342437
SHA1

12fecb35983d2051f8012b9169bf455950913766
SHA256

a0704c171355f07d5ba80fcc0358f13757734f688cd397622a26fe152dd15952
SHA512

cb70cd3f5e683499ba9ccf8ffa897af36978ea409d98097b4f0048011171cc1d7d05262148effec7e7116e21ed58bff96c2c5959b2bd98611463784f4af2a364
SSDEEP

393216:/OfnLbyqnje5BSP5Dr2tVmTvicXVNeNr5d9kT:/Ofnvjdv2UvhNAr5X4

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Music\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c != '') && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function onPageLoaded(){ try{ tweakClass('lsb', function(el){ el.style.display = 'block'; }); }catch(e){} try{ setLang(en); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; document.getElementById('file').style.display = 'block'; document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密，但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version);</li> <li>Tor Browser will establish connection and open a normal browser window;</li> <li>copy the address <div class='key'>http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA</div> into this browser address bar and press "Enter";</li> <li>your personal page should be opened now; if it didn't then wait for a bit and try again.</li> </ol> <p>If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on <a href='https://www.youtube.com/results?search_query=tor+browser+install' onclick='javascript:return openlink(this.href)'>YouTube</a>.</p> </div> <div class='info'> <p>You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files.</p> </div> </div> <div class="text l l-de" > <h1>Anleitung zur Dateiwiederherstellung</h2> <p>Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren.</p> <p>Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt.</p> <p>Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen.</p> <p>Die einzige Möglichkeit das zu tun, ist die Verwendung von <span class='us'>"SAGE Decrypter"</span> Software und Ihr persönlicher Entschlüsselungskey.</p> <div class='info'> <p>Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden.</p> </div> <p>Sie können die <span class='us'>"SAGE Decrypter"</span> Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key:</p> <div class='keys'> <div class='key'> AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA </div> </div> <p>Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann</p> <div class='info'> <p>Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen.</p> <p>Dazu benötigen Sie:</p> <ol> <li>Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser;</li> <li>Kopieren Sie diese Adresse <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> in die Adressleiste und drücken Sie "Enter";</li> <li>So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen;</li> <li>Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben);</li> <li>Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen;</li> <li>Kopieren Sie die Adresse <div class='key'>http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvI0MzbPx-Dc3MvbrvIlrMLjpEsiviz7Xz9VA8HIm5ZXTA</div> in die Browseradressleiste und drücken Sie "Enter";</li> <li>Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut.</li> </ol> <p>Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an.</p> </div> <div class='info'> <p>Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten.</p> </div> </div> <div class="text l l-it" > <h1>Istruzioni per il recupero dei file</h2> <p>Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente.</p> <p>Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione.</p> <p>L'unico modo in cui è possibile f

Sharing

General

Malware Config

Extracted

Targets

GandCrab payload

Gandcrab family

Modifies firewall policy service

Troldesh family

Troldesh, Shade, Encoder.858

UAC bypass

Contacts a large (7707) amount of remote hosts

Creates a large amount of network flows

Deletes shadow copies

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Drops file in Drivers directory

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

AutoIT Executable

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1