General

  • Target

    ComputerRaper.exe

  • Size

    85.4MB

  • Sample

    241124-aqkqysvjcx

  • MD5

    bdb24ed9f869fcd462b316148514fc5b

  • SHA1

    83935122b626378a3149e9036cd751514add4b52

  • SHA256

    83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0

  • SHA512

    12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611

  • SSDEEP

    1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97

Malware Config

Extracted

Path

C:\Users\QWYXODCYVL-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .QWYXODCYVL The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/42eb3d0753fcf297 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFlxSG5/a36/xItHAOR8f96+ZtYJIkU8xQ+Dutd2y9EHF4gUOKzXGbFX1nO1rS9ic55TUqRFYHXjOcAAb8DpKX9Uj0NE1KA9OTyyuQH2Za9G1g29qiXDRdu6RcT9+nFzLovkyvUqzB+RrByDAwcj+bMUFDNN6u8F4dEHykAq1y5pl0daBcrggyvI0rcKvGIkP27nA4608QuMsKCiTGFv6i08TBjt/afSGAAN9V6EVmeNKL9O9EuNi2ksfWYVaf3/UcyySDoOYM3cAzps2wnpqSDs0rEYbwdsCIlwNBSDyVJB2VulSSt26pTGzD12UD5TgC1i3JriqRCLce4igcsq8C2SYFSxgzTJIpbFKGGhh10z5RpdZD40ygifml8Nvy/4Oa82QMyBjMyoRp2RugaIMJ2PzoH/6HJRKnNc8WnA4ZPj7UHIgYeZwHF66w0GNkvELOXqspUTODdEPp+vGDZzO6B0KxhhmbxJMwCd+6ntNQeZ50Xbs/BdEVzhAMJq1Ll8E51AlZengau6rb4/4xL2MXf18Dgld4KRT9eo2gmhBkuQ0wIOw7pqHOgSJs9BPWdUxL2UYruC60KVKu7IGtxirBkN1GDn6Df0KznxyS5+bdDiBqkYZv1fdrAJ36rI1XyNAxkaMx4FuiJIzGtHUODM10IXt7sb6PmidObOyUcHFcd9Fx67upGWWZcVvNv+um/76DHU/p+eRYTFA3LVsM+xw31sFF0+EmePJMg8lfOHKB+vq3pe6tsfnkyVfjuSWIochx6OYr6XM03M1bFSKHCwS/piq2Lg+Zw7BKnS3Akj8nKLCt59s2L46ZaIkdlizHG3wmnlX6Hy9dvkm0hL8yoNk2YfMAENylm/hOXnkqmmA2tvcn0dwFyR2vEMBwuQ0RR8ApgfNd6rBx17o6uXr62Xc5NqdvmAOJTddXdZE7qqVjfgjmcno+/j+x5cHl26hGerweS0Wos4SAJK+z4kiEkLV30KmJifYtflnxqFT+EoyO+2Jxj5SSbwsBmfVj+3JqFN09v2Iw1AKdTy5KBEwhY/vUjrl8Fvi0Vh9/u4bV4oUhkONHigQlKtSoqLUUf2y5HgLc4/xjDZevnFulKm5QGTCo12e/aI1h7S18HB5EVNUJjP/K8In7yPHH45ytMV+foHhLMpMEr2D3HCggQXJgtW5V+X2xjoohaQqXxM14o3crIg1RHYErXu3/fW2WdAFwIXGI+o+z0cmNswu+DDYc8nB1iiSizjMdaNiylwn7DRydduz6bBmnhD4nk+QnJJKwNyXNFmKXb/x/Cp6yckEErclFabUbOEkdbAjdSPFaWY8FAH814o0fd+Zv0Ok3t5ft1WnSezly944VsYSOnGc7x4yB+IAozYGXHy1CnK239XFLd8EN0ZIgan/6mm2/UE33kLOF6ysXdAKboz2iv5sNoe37LhCv8A4gNUNIs2qWUH1c4Lp7cFXAELAPn4fsbELEoxSg6cRF8TitnpMwSQzv7IGa1lyrRlTLX/kW+QeIZz73iq5dCMzWKbjHb5AEtPVA0rHRx+6tPogHHjqdxuzLEa3+mbe+ed3q32LT/tddxN++LCA+I16l0cW5Qh6qNOk1XQNGM6FuMZMH0Xbgg9IGak8kjSAneE/St7CmTdS7qYs7zGIIXTcm8CwN/H4+xIJOTery4xdLmSNVmBJqDi34FeWOlqtnMfmzSMpxsyEkxnV9PffjeJMNJrRNNXYbn7M9roeR2Ox2EaxYKDjtWwdM4XgdMd14NEg0dBI+nzSfmhEgrccz/GGwCVT1JzwpY36RRiN6ICHINcvtsPbn8K09zgJkBOzt6heRm3jFHv9dXXvV40v2vROrNjEpAgPk/AflU2ASqiju3rVBKJZkltVeBQ9KFXpVGbxq6vaZj2bcMtqf3sq1sU8960jiXSVrcEIM25jpzxv0fxoVjVk5ZKaSjZBJFyzMmMVXOEFRTF9mIuQWU6PpdM24qcvVzhASfUyQ6A3fJ+cE97BUSgwbdHuLsGeR6jc7GFAtyTry1ANyejzXbRMa0ykhF49Fc5RuLB1/FThm5u3JwKLkDcqt0R2UxGUGtTt61YwWCcdeOfUHj4aLRoI7MtT4s8Z5EESory2TQfI37azvYsJbAIKrqsaj6bRhIp8WgKnOT9mVO5T7/3as5brb24gviN8Z1XISXQQxJVL7uI7ptjVkhEVT2q+0J7GfjIXbBrZNoE9DScXcjhf7aZLYm4xryTs30YraHslZbw/KOmBEo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDr9MzJMpDfAueVs+DJRX7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSAiDHtO+JL9AOBnBqrsY5R+W3MrGamYeR2keCP9Dy+/NzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwErtIypC8P1fKlWTmW7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0K1g0/7uRQeyoEinT3CrvrP9dFPEuVIcosLqYb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/42eb3d0753fcf297

Extracted

Path

C:\Users\Public\Pictures\_R_E_A_D___T_H_I_S___NHTGWHH3_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/CF01-DC0A-6411-0098-BE31 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/CF01-DC0A-6411-0098-BE31 2. http://xpcx6erilkjced3j.19kdeh.top/CF01-DC0A-6411-0098-BE31 3. http://xpcx6erilkjced3j.1mpsnr.top/CF01-DC0A-6411-0098-BE31 4. http://xpcx6erilkjced3j.18ey8e.top/CF01-DC0A-6411-0098-BE31 5. http://xpcx6erilkjced3j.17gcun.top/CF01-DC0A-6411-0098-BE31 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/CF01-DC0A-6411-0098-BE31

http://xpcx6erilkjced3j.1n5mod.top/CF01-DC0A-6411-0098-BE31

http://xpcx6erilkjced3j.19kdeh.top/CF01-DC0A-6411-0098-BE31

http://xpcx6erilkjced3j.1mpsnr.top/CF01-DC0A-6411-0098-BE31

http://xpcx6erilkjced3j.18ey8e.top/CF01-DC0A-6411-0098-BE31

http://xpcx6erilkjced3j.17gcun.top/CF01-DC0A-6411-0098-BE31

Targets

    • Target

      ComputerRaper.exe

    • Size

      85.4MB

    • MD5

      bdb24ed9f869fcd462b316148514fc5b

    • SHA1

      83935122b626378a3149e9036cd751514add4b52

    • SHA256

      83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0

    • SHA512

      12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611

    • SSDEEP

      1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Badrabbit family

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Cerber family

    • Chimera

      Ransomware which infects local and network files, often distributed via Dropbox links.

    • Chimera Ransomware Loader DLL

      Drops/unpacks executable file which resembles Chimera's Loader.dll.

    • Chimera family

    • CryptoLocker

      Ransomware family with multiple variants.

    • Cryptolocker family

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Gandcrab family

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Mimikatz family

    • Modifies WinLogon for persistence

    • Troldesh family

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks