Overview

overview

10

Static

static

5

b82b65ace1...18.exe

windows7-x64

10

b82b65ace1...18.exe

windows10-2004-x64

10

Resubmissions

02-12-2024 11:09

241202-m871esxnap 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b82b65ace1731fe2d694512fcd448895_JaffaCakes118

  • Size

    8.0MB

  • Sample

    241202-m871esxnap

  • MD5

    b82b65ace1731fe2d694512fcd448895

  • SHA1

    c6de94da7152e237c1f0b36264b14deb32e85ce2

  • SHA256

    85639d9a1900703f2ffbf076d28925ea8d5fe4537098fa82dd96cb8eb21d2911

  • SHA512

    70bcfc8449ae913ae1e81f90fcb49ce05076b18d495683f101a4353719b3917451e8d507c701790805f6f1484ce6e12935e2dd7a8f1fabb5192492a19ec93564

  • SSDEEP

    196608:6CKhIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ2/:RC3Stl4LL/ZaI

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\VGUCMIIYE-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .VGUCMIIYE The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/baff8cd57d0122e | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMXpx47zM1PGurLXAWreGMPbo3sFFZmI/YywSBxlk9mVSt++C+qA9CoyrX8yol3ujE0zxaSLdDNZZmpC6mq6g0IrqoHcQO+gUpaCsD2pSyXIclF668dcHxooAxor02Hc0YSxoH5+70R0bacJI+3/LDyD4nI9/xID0VXO7wolK3RtDFpP6oHzPwitoRF7cNVe4HjDAus/RvRl+E/glwVplYInXNg5sy9p4HBEM6PKn4qmyvMqEftk0v0kCvTjFe7aKJZanp/lQvL4wfHoruHR0XCRe+08Y4gbKAmdObEqGhscBpvD0UADVFWaT9ENpu7zU7q6X5HFaA6sqyUi9ryc/2rlJ3pWCFQgfrRP8zZBNm+7GTIL3Dvo0EBr5AoiXcfgmfNUKn+kMcyQXPLInFger605LukZF7GNqtM31LHDFV1/MWPN0CGbLsTmlkbojAGHmSqeOlN9m1+cKzAbFWZLrIODSGqoSawebPsSRrM4aA18n6zKEvy4kK3mOpQ2K3LWK4aZK4CZiuPZXzEBoGFS3IuhJTs2ObHBQPQVPmbzaqYbJ+oXTY6DjqTMZHjB6FiazoQskkPIfwd4tIvZ/n97Dkyj+3tRaxVcIKo+BVDCD6PQca6JR4STSb2iZKiXrDxKCeJKJNYC4AQABGv2c8aBgf2xeyT1uEq+WtSqzKI2KsGKJEh80IGDSV10k+Wqqh+x5/A8lXq2YAbSHxm+rHZBigrJ17+2DKrOTfc4igjLnpldfLAEDjXZMpTtxUoQFyedwkLqMlC220gSrv9nGVlC1ZbUTUiy8P4yNKp6QmGajw8n10Was/yGR59AtMqISz6/Iz1IjiC4abwbhRFj9QC4c0rprOr9hcAAI5LzoBmpordtZzT3QOqMV1BoSufpH8oO1w8VrcNWczUIILYiFYdfwwK1CJRJ7Uvo2woEb++E3Oc+Ua1XNoIG3pQ0uwL9SB51J7CS0z1a9ugCHXMxp8iOvQxFRNlVI3FzjDfKjZV5jDKO2Wt47JYa6E4UExsW8X34zWybJLIAnSeanMwMgqWSfsXPrSBRrz6N8ulfNWPYTFLbjjIj8cdUbsVFEAgl0OmINC7SQ6RxeqhUckyaF+UmbY47h4FYW/Ilx2MXZPz4jQcx/OmQnHN1XFF7ttNn1dBbp4u7fgSWRn0z3bSs7P6p5H5hrgeFCNWB8PNSJZ/810yjnliwAsoiZcSK1HqmMImntEeAykXVZW5IOiD4Jk0FDb+a7ytbGH4wEZuCLFElU44xlnYlr/gBQBwrc9ws/JkrNlBRKBu4VeoMhibU3Os+ibfMeoKmmeSM1n6xhw+JMN2El0FjmPRwj2+tdwIubr1opFUSa3r5XERCqNmyS4NC95TBtTLCe1bMzga6dw0/l8SmvCa51701KZL+ibV0A1ZSiwXPjKoZdBujRlfpKIhGNxhjcZ9l4H97DxJKzfUc/dQVJd9JAQCOqo/04JfOIsa6Yp18X/dNcJSQWAmALk1Ck6OymeJJ8YUMcugM2wW1UvByeHISCSgyajnIegyxhiJqSf5sETXf8iM32Ws+v8UOfGCoenASxaGM25OnbUlQws309L98qqUwCGdwDRQwQzseO/ZTHQuuSfJONxvI8K0fu3lUJyNeUMYvzJ8Q1d/qvzsuWORLUunXanCm7DXFZqNfJbHiQR6IhbYla7ajBZ7+jsjd4/NBrtpMTr12EDUSsU+xCc0l4w+f+7HJ+STXOdfNDWY2CRz+3jf4tt6bD2mK7AqRSBqE+AwSomsYHgLa5VJ6BlwMpPQaBDe7Ln0Ym2s7tzeYnX2DGFYQ9exFGbiV2xwL64Pf4PyO05DmXbhGFL2MeCB/cUgKya70FsSy05YncZ/aHY/BO+KWajrwtnZFxFN2yk858OgmcSPUHpZa6tiX+vxiQQ5FeHYPEf436gjNaSnaRo+dlyqY2b+LQyh4PMcRNN1/K0ch3OTaPrdjI5zNjNgBFJok0qJ7KCjxPFouYTgjeHBEKoKtJI5cpzBaHFl1ScFEiYOypj8HedCxnKoVD1dPv/PssAGCQgOMQMUeumoLEFHF0uT52Yh9xMruLrgUvVGAXFSnjUaboxKMbwibKUlzzWGNdPes6xoMXu8MNvMN6aMNxhO23QfjQ6xgja1VnuStKtp9R+vDCzxHCT1iF9hFvgC5CNmH2RCELwLeOGwV3NdpiVLlY1UlZtNu3SWnEojwt5cnOkEr0dfXTvXU2gPo/URZhnJBL6WGdjQLgDytVHs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToRRs3YK7mpWq7fFTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisbEjkR7BtuKs/zU2ResjGtxYOFqDBibtrxHUEYwbtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKxA72Zi3pCxFO3vTLN+ah1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfB0ceMBkP3JNgn9SQ3nC26ZUErrteEilBYtMbJHyHowOP7+LRYsPy4knV/fu67PAzMb9PnYTh4gzvuwKRb5tB/+FbmHWs+IUXo5eM9Q19EZhLFKM2u1g1mmDLQgzxwsJfjT5T2ECiWME ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/baff8cd57d0122e

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\KEFKTRJ-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEFKTRJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/7287c39c35e12573 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOeFx4mClyT4mOpiT4HWSFPRh9fXPDzJ/YcQ62aQ9JbDlhZ392uyEBtfXIT4VtbwCtyvi2wgaVyccSg9Djt//BhX4St1tsF+gz7nseoKO6E4uXSbSru6AVNSgCTnyJI9L50p1Eo6uPW7oYsIFs0059tNiS/u83lowy5ZZvVLuWtaC+oGkONrBVf+H8D0iBBaEVYcOcGFSvQPKIELTnu0qR3xiMOU8T8sJ/RMCnojlWUBW7JHBjjtdErVEE0+iI+3sAipkIIIQ+8UzEcofe6DPyQY+JD4mWNoeJ5r8NqVZA/qNnYzzIE+ORv41YC4TGGqcd7BN+DyZXS/ewZhInlJ+zvt729JYm7ojwoLK5sNHHCJPVh5eOI9xvrjlmg01HKm8YkY9wwYu+Z9dD+Ot/rH0QEiZrv7Lku6YKh/lvJATc4ycVRbxflnbvZROYrIqtc5PMnhkB29+xmW1eJoi16R7USkpcHy7tR4cekenG2GmWFipGtHaZ30Tw512TXtJUgJ+9c2/Iv+XuLE1Lms1yxOYGqwlzLK8v2PKGVJM7g+O9MaWTLs1cAS0YKT03l1wgTwZ+Gg3Z0OpfdjoDNTtaxRTWZPKU0hbiFcAjUQHBccGYcAh6a7dJTtyv+1JzG097QOAketKN5TiI1c2Ztdp4haPg5hNtxXCbk62WyzleLoXrdgGRUoDialHQ3KQPkeFLuAuNAxAamSsPDHqC4bCm2AMLU9evFY9qUiJLuzywPFBMlPInSp87R3zW9pvqUTg776tyKIYTGlj8tyap/wHJjAoP58JLtGws6V2HJ0j8UEcyqkPwP/ZpMwgmk7zYoVLObjaJ5QFLvBUqrFAikgU/CVHl0r9R2PVyKEGyqG6Bur9H9sXLQ1lxa1XBZAq8tKI2iqbfg/o53MS+wrLu0JNForNcfFWetwBVoVPLW7vfplRwQRQ89jhy1zwHaWDD0ZEtshJjPyiDYGx2H73AJG1TtyyTTvDKV2tHNM35eGEdLMCDf1kbWavq6ERH4OC+RVwK8nPxtjWNhj0lBhBkqzsb2OwuawHuQQAkL+TrJpx2xQufO/5lBSfKFAgo9tuPCC3bRYUJBfHsLznq6uTfTLyhcWO2kwuvkree0VRwv/04BpGyVqJX4sAlB6jMUafQ/SiiWFU0GV5VYsl/7pG3Q7daQi3i8vnxj3nvRj9k854a/nPYIwpOVnZRv7znHkP6dzhKqwhRcpWfIuCm90mFSo3WhH1KIyX9qyhdH5C4XuQoD5r9VGVRlQSuctXkLPxhKiSvaljK5Uc09EeuxbJLzeubcURqZ3CtxDsVwHAWy0cuCYMp4FCZEZ/iHdA2adrwnKvN9OaqZDpiD+xc51qRm6sJpHpMIuQHMne2rIZIBmnvPlSBc6j292gNkuhE2n1cYsfiueDyzHKiPoyliPDUgvAIHV9mYZ/vAFLMkOYrWlw/pKvzrMPM4A1pwy4OJClTE5GnfSN1X4aPdXeR3g1NQLikfq0PQc+8FN1G68Nkxg3xQASCgJtfVjtGcBZnXjzMqLvXkecyenu3EfN+8ZOb3k1/NE8TqhFhPV50I8TSA+wsY3EybzUVABKv85sJj3QEDVxRIwEo6qaEC1/4HPXSSZAZuUiNPeDjebkTvSGkFE6S38elfn8UkuO1O2IAB3Yf4W4yWWK++vsG1dMJtVW+1gt1pUJHD0XgLB/+cu1hWXCuUqxcTbbFLfOF/UWYjBsB3P5kBfSLlF027LSvel9KLJzQN7LMVPf8a0hNFkpk58VVEQsjF5gM6lF3mYbpYp/mUducTgAXaKsxMoeczA+O23Uof7ne1ELs3RTGfpdNmH+aGdZiuZgSEcVYAqX8bNs6X4bWdoMD4ggvMQ1noF6bZLSH5WY3ph2HLaaGHLoVfUuuAFtk6EEL85IPRjArgP6mIDcCtDlgTtBmMRZL7LHAbBitqMd60NWtcXqQQ+mW2udol0DW6moj/v2IFdeAtXcGDe0lI+7dGb7DTyiOFYGQT5WLu76pqDBJNHgUi+eCR5oHJkMh5swBGWW7DHqR1Pi2QCWaNlWdx3KsNSW5qpIuowAPRTR+EEr6JSgM55kXTYDBj3tDLeSuKojoRVODIhy6pKVjSrBxgK0/cCajLCLWSr+ysZXRivdH3a22JpU7GDg1iGE6MgKVhQmVoYXZ0gN186JRcvQVacWV/NtFrsgNnH6Nc9BCTC2zGXkEbTYBHIM2fHIsALxz0Tb4euFiMJuIp/FKMxqBBFsdc= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZYTpFRuXYe7nxWsLfGTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB5+Km/242Fut1GthYZVrQBiTtqBGDEdgboycX4t64OKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFJ3vHLN+at1wUZMnQURl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfr/PRd4Psok9V+butLOnzJ/9bHYIh8Yz6+xORettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/7287c39c35e12573

Targets

    • Target

      b82b65ace1731fe2d694512fcd448895_JaffaCakes118

    • Size

      8.0MB

    • MD5

      b82b65ace1731fe2d694512fcd448895

    • SHA1

      c6de94da7152e237c1f0b36264b14deb32e85ce2

    • SHA256

      85639d9a1900703f2ffbf076d28925ea8d5fe4537098fa82dd96cb8eb21d2911

    • SHA512

      70bcfc8449ae913ae1e81f90fcb49ce05076b18d495683f101a4353719b3917451e8d507c701790805f6f1484ce6e12935e2dd7a8f1fabb5192492a19ec93564

    • SSDEEP

      196608:6CKhIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ2/:RC3Stl4LL/ZaI

    Score
    10/10
    gandcrabbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (261) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks