badrabbit

General

Target

5secshuffle.py
Size

6KB
Sample

250113-cbwwsazmgt
MD5

f0625f71f66f011f8251f180407017d3
SHA1

85834cd6484705f147c32e55e67c2b9cde824323
SHA256

c29bc7ab31b2c17e5b4ba1734abcfdff97fd1e5ecf078f6d42eb0a083f3cfc6e
SHA512

ba8c23559bb9cc8be914d9a69d242f55a06a692313c2f88cba4154f1cd8af03be9fac82172e7703cebff18e632bb6c77f2e3efc32fbb8e5f48aad73f1b02dbe7
SSDEEP

192:JAmEW9Qfl53LDwrfDI3mxUEWw86SDeKd4C8ik6iJN73FJ4Avklatn:JAmEsQfl53LDwMmxUEWw86SDeKd4C8iq

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3506525125-3566313221-3651816328-1000\FHBYN-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FHBYN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/874bd514a789dae0 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJz1oKKyc7WiBoWtmJRkyFis7HFZTFgU8fzTY7Il2nCM3SmHR4HErFlVp59NrRwm+OyIcDsxd8zT6tHOvSiEo3CzrYVjJ3/av8UNyGGgfpZuVBOFq6YBzN7phOvWeO67sAcglVmIyPACycs/rD/Bv+c9UhT9i7SWqZowtfQvOO8QCAYqFJkTr8kMLf5JY0c7OwuUvqy7g97hr37ExdfizeTYndJQveXc02Tmk0EdTfq5IF2LHpudZuNaIbdKiAjpYdgpPesN9+Ki1jUqKuEwZJqn26JrFEGpXBe1nFwr4eZWRGmR5DxSRF6thmMfYeSWwxNDNs2bC1fycjxb/CTubnbp6+uuNvpO0EvQeM12w4gjW61ZYAnFxY0Gk7MH0bPb3ZWUPIyBDJI/9RNSm94JgxZtRAXcn9kstzqAeYwLP6Xl4+5ugX9olfJXsahSD0WxmDSHHPT2NJtAXWlxHOXqSbT9KXy/5nkM8z8og+656Em6vhcWeQy5LbzzN/7yVQAj+kiyl5ow7WyztCtQ0zaZUn+Fn9NTsQiHQ067IgVeOwbmyIaTauB1Hg+04XSt/6CTDGl7h9mXoUaz4/fH4AQS3okPPdn/JFJzBm7nJYLIyGC/uv6AJN/Pw7jR+5oQQlWlJDe7WeA7VA+L5dZouIan7AX/KZQq8Gu/lVbFnnib9boStyVYxozraaebZWfRwleZZ1WyX7z36nR7NvYfmgBqlWnYO720l/o9Q1N3NgeBCfHcxpoVWDq0gzHsDQmONVJiBI3N42AyKPyQJg/8YuFDEtG8qk/8DB95sG8eZRX5I4eSRfJGHTunG5gAqwzZhdVX13pgDcNvPz2XScqnZfYdnMgpWY+zB+oYeaTdNnnDQSnhx3gP1l4h75yPa8hkw5dvL14pSy6PF5c4CspL93OsbXeJOGmEkM8e/e3XGp6t2x3Q8npulotiTe0/B3Iy57EfBOa8OMJkqzEvNjKkuDl0yjfh8wSXdOsEy/87JuaiZnJaguRZ1Ul6llJSm/i053+Cm+1A0xn50fqzeLSZkqzEkUx74xnj+a86+H8PTLF2gbmVprfHiwTx+QkzMt2G+3OZKdybyPdYEalxh6aM+Z4hdy0zTk8rYC+cBDnvFLJQSl5lIjsVs7DcpT6/qrIb6n0eZmv8NkBiI/wnMcYsVPBrD9yOfkoLTJWaZAxR1ovYRqQeGV84XfUyr3f58xNTl7hgmhHnoiqFUTCiT4VI3aTcRVPYf+9UgGUCILLDhLFcgCsadBYjuOeHTXCW4eGRvb8zL7+jNOwpHeSZnA4Cz3HkNLSL7zizvDhYrdCuEpux3pzPBceTj5Oh0TczjnVteaWQPQorkplCyymFYdl1fat4vL5yRq8vxJ4L+y27Hfw390TqCS+CgruTcwLY05dkl3dhRK9xl5aCvJhJxsHp13FlF/KPpAiePRpaqZlkG/Agrd4ZUxC+YP8b3s1bwPC1MQAiqgu77yY0AligUUS8w+Ba8jhyEDkBXwYWBVMiVXwoYcm6E0veYqlWGUhXtPXskRsium7IvldG6wavFhX3aXUW4/9y3p48aAbjWae77xWZq82wcvytr2WBMyxwlhsxZYAg5ZZJNja9mJgXmJgA+17oMYbruLhRQzuKaZtsEDPH1e34lCCyrTVcnXbq5ga+qu8TYvXvnAsFthdna30Khk+hBYsnaeLTxrjM7K2QElPWrHIdNNPwUkRWf1VZBboIRwxga7ylamEo8xTIxSMGjBDUfTsduPuv9grdMvhDVYqc7lZbWHCPJjaqUGe3POIhcOSjATOmfI18ggKZLUolJ03P/NvkhbohPED9fQjBUxg6prGjmpFOfCKfduWCNcGEoY59AOHzNT+XV7bXzZRgX/17PxxarsQ9lf9UcglcRf1I4iZIR4q8+569/Xd6plT37boiHw25NcNZXKiP6PIXjb5joeuJd1zCnwu6hKNF2hj+we1A0yyrMDkzBnk+481tFA+/pVQvFSdTFkkymkeuaU4vV5cFJn6t8NgDREoPdXPgSwPeM5Wh8HO64fmlHMomFkr3nk0BPH1/VkWU3jEONPoTrDqfI+FGFcY9t6IjfJV+nHiuMGwTzrknOV0zORpFXpKeOjRXiFzKIEfVZIj3uEHP3ggSnbSX86vPPLeUT3noAh5jtfQkzTLmQmo1m7SkFs8sixsnrOaMf6WceTam02SAFgxshnggcG9BwdowljXthl6p3wbnpsXcCVvHLpMPZjGsICRTCCI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDy9NbJLZDAAveVruDJRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemWoy1rWnPOZxV8SSVjOsTAmmL/7s4CzGBkpOKj7RToVZfeU0wFSACDBtKyJP9BcBnpq7cZhR723XrGVmYCRgUeIP97y+PM3LODjXKPjrwxW5OZ7T0jJ1vbhL2d07fePSySz26B+oWfFo533PDqxlSg7ubDoQVp+6k2VyOmsqBtvY7wKrt0yoC8O1fylWzmQ7ql4Gew6gTqwNUzab5MfvdxRLWCjoLjSwF/i8jPDKIqgjY3pWN3+hglhvFqi4oFZEvhEsSM+AN7hzdQWIEz1U0GTyeyMcZ0O1go/+eQSe20E23SaCuLrfdcRPB6VJMorLqwb8AmOcGyVvrCSEaKsTrSHnIyaYEIrb5s07lHfcy/ShKIdDA3FyYH6qAJw1UbUxI7G7XVYm+fKMPMuEsCdCZihzgpfE7oT7wA2q18= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/874bd514a789dae0

Extracted

Path

C:\g1rFryAhrVg2xrt\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>IbhGsQyooCJrMW7nFRLe3DNbNofLyKNAoYncJkRZSFaNNwIJAJOLT1UKu0gGohgFvCFeV9iRPJ/J3AUbU1K3j6g2YQGiL/8A9CSHPjiunVGxPm+ra/YJ9E/zz4o2yuoNdENmrd3qiPAGKj7fbYPGAp5gO4yWak+EboXDSoD2EC/cXWxswa5VmE5JuBQJgjoxdI+yLxokOVMJ8gYF6y+IQ0kUKarH3m63mulMQCUXjsnZZ6VaYNC9Z3kLCoeMS+R+Ev2+CVjgdHYp2A7XKNIWECHQFYzYZ/v1GFuxVPPpiqnMWPpfUWhyPLIZfvrvooQZVnVQrjfeKDXhvtQpdxSUMg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  5secshuffle.py
- Size
  
  6KB
- MD5
  
  f0625f71f66f011f8251f180407017d3
- SHA1
  
  85834cd6484705f147c32e55e67c2b9cde824323
- SHA256
  
  c29bc7ab31b2c17e5b4ba1734abcfdff97fd1e5ecf078f6d42eb0a083f3cfc6e
- SHA512
  
  ba8c23559bb9cc8be914d9a69d242f55a06a692313c2f88cba4154f1cd8af03be9fac82172e7703cebff18e632bb6c77f2e3efc32fbb8e5f48aad73f1b02dbe7
- SSDEEP
  
  192:JAmEW9Qfl53LDwrfDI3mxUEWw86SDeKd4C8ik6iJN73FJ4Avklatn:JAmEsQfl53LDwMmxUEWw86SDeKd4C8iq
Score

10^/10

badrabbit cryptolocker gandcrab mimikatz backdoor credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Badrabbit family
  badrabbit
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Cryptolocker family
  cryptolocker
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (449) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- mimikatz is an open source tool to dump credentials on Windows
- Contacts a large (1157) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1