cryptolocker

General

Target

https://trovi.com
Sample

250408-gqxtvax1fy

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-809364120-1453366396-340093129-1000\KCDSQSMIX-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KCDSQSMIX The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a214b670dcf83a85 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJWN1lXv4QW36xcOtyluk3lBD7poZ4hMgn3mFoCyWvS4MA29QenPl/4j9ur+j/AbG+7AFTKv+KcKFPL9yU46JIpEckEU2fB/XCADxik4CRDkEUT642koCUVQKlyulAA8w6kQ0ObNq+pbil5YbAhY4/3e7xhQn6hnEpAYGVSwI4WgtpH0RTDxRyMp1RcsQ9X+PqM2eaUbjJTMcrSWBwWBJuS8LMsK+GOwKE/rp7Ib9VZ4Wrn8dWdpLlfEIQxXlap7QYHBCz7U/OHIMv2+mLy+7BRZIL/HOoxJMvFxalw6O5cBD1Hdfa19XiAWa9KQg3TLwiYRsUd5ILltJd/+dRCRsi8f8b5OXRZcB6TkALEvFv4IZ3qJX5OhpNMhzpONBBTVhvLPNOl2oMef1vw/JDQn+VEkuEwlCvZaYQ9pqMthPVz+cLfJLGY9KO0Stif2fiAhop3ZvQTLA/xzc8Cs+73UmDKkGkLLRaLiyOR8b+LZxDP615A600RAsZL1LYiptSmR62wQQ9O1Fyy8oXtiLkLtA3grOHWTkOrU9pzCu0afOg2UxyMo8FvH5gMMQ5E0EUGcL3Nz5pAG9C+tAuJ8zn35fu7Wc53GCQr7LGH5xyp8rSMuZCwNBqnaqEyIhSKncNYEBms1xp1IKxdcAjzUDUUtPoBv4v0lr6QhuvAYactuhK/GbvhLJET09oLyCHoS2LAWEphUMo3CB8vH/ALwSm2lwSXkv/eu+tosbiVMINPMUVlpUBSIJpnHpTM/dguTIEuCDFrgGFdzmVOeU2e8OwTOJiedYrcgglqkMt+h42cDDVIbPrc+w6Akq7tfPspvvl+SdJEbAHk2wXy+wjQ/Ac0OvTL/fxHsoVkzAsLGJxiRYBgMb3OfnniPKnm6vofU+yQc3zeR14axRE/iai09trGyp9NxUu+n3lL/+xuh4qYEt85Px3/4MupS2X3+lh6g4ASHO26QIF//MUtVlIOOvFUlVgY26qs20Vk2VBb8QtKrgITO8CHF/8yEvrxMbidORsS3PgM5TfQhM2BI+y/i2wSvbT/nOY43uXxlMlLOwgxOiaotbFsPs2DKNQZKwI/tPku+7ESRLpeyc4b5Xubqd/bIPExZvwxJjATC7tOUCzdlESHa+pRcJXsjBCt+s1e6yU3fwvNvRmngP+J0z8UHIhBAncb7pCIRPCxC5oSrZE/mhwZ2JYVmVaMoQTKB5doCR6i/FVnBxciEAhmUbL240vOEHqRtoHu/Gx+mT7Okg+vqL6ibl4XIcDHtioMpLH3xOjnGEjNHzrP/eW3Zsc0stpuJJSf3z/4gk+O8+myqVGt2EIyROOx4wl6a8InaG9KBKGTb91QArcgx7eYASEawWmHUOpMYDMlXGxinG5umzXR88yBEDutN9G9o4H+8KGik8GVk3+bYGz/1T1V34vFaqP/FrPiYUTxNyKJFK6HvwHfn6MKDDKXhsnnhE4QAQZIo/hvdDiJb3Z5b5S8ezSPGLWhGQJxhDQinS0433OCJWw4YvPHqX6KELMV93h9JSEF0Sv/HOZCf5v44hA9UYl3fG2SUcaeXVi+fyvfnQy1x/GYYX/K6yMBfzksF7ULCP5WlAI4Bc4n0CCVshN+oV4EeeZEDBgEn1ynasj0svclPRcXFoXycPhuGcN7D+zgrvCQElZhHxXoYnyz3LAHWSRE8QovhF/kQuPPaE2eqKAR4uBMKqj93ZXq4KIoZWqNs1rKZuHyRDCxRhhMD0fBJft3g8P5fB6M7EumupEebDpSJBFj2r1l+qLAtc8ljW1SUxgzvaCD/IpZEmd+BEN+bqP+RhLiPfyIqQpgapJUVETyJn3KizTiN7J78qC+BxleczQkYfTotM8m5crugOEQPom/AHXR1pblBmmoloK528iN0T58CL+yoh0/tVvp8s9fiQN4qblRM+5x7u2zF9etMEENlq1Ff8jY02gzHYOefvPUdgIXAJjL/LUXV7TspfyquW0K7lyYvF84H6ofauMRgROP07l1MAtureMIXr+Kg9sdRXO2vqWD0WtEMov0NT8r512edSSayh4p6tjZy6eW+Iq3BNssgq7pcRLiCxYgcGOv9hWHcOpQh+hyX0yCal/1Y4DeBCnC2Br7+GYeD1wbgwlXeJWXcE5omjHrNCO+04CZ6Z6Yv/24qIfGH0nLvCKJF4UdUBtlaoVHR5JOEZNlPEWwISDD5oGEalq5hWymPprWegs4Nd5xzqwHt9suXXOgyEusFHJsYqnA5RZM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59N7JPpDTAuOVrODQRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemWoy1rWnPOZxV8SSVjOsTAmmL/7s4CzGBkpOKj7RToVZfeU0wFSACDBtKyJP9BcBnpq7cZhR723XrGVmYCRgUfRP9vy/fNhLObjX6PlrwhW4eYvTxbJ1/a2L2d0sPeKSySz26B+oWfFo533PDqxlSg7ubDoQVp+6k2Vw+mvqB9vZLwArtkyoC8O1f2lWTmY7ql4GewxgT2wMUzQb5EfvtxQLWyjobjRwFji9DPDKIqgjY3pWN3+hglhvFqi4oFZEvhEsSM+AN7hzdQWIEz1U0GTyeyMcZ0O1go/+eQSe20E23SaCuLrfdcRPB6VJMorLqwb8AmOcGyVvrCSEaKsTrSHnIyaYEIrb5s07lHfcy/ShKIdDA3FyYH6qAJw1UbUxI7G7XVYm+fKMPMuEsCdCZihzgpfE7oT7wA2q18= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/a214b670dcf83a85

Targets

- Target
  
  https://trovi.com
Score

10^/10

cryptolocker dharma floxif gandcrab infinitylock backdoor bootkit credential_access defense_evasion discovery execution impact motw persistence phishing ransomware spyware stealer trojan upx
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Cryptolocker family
  cryptolocker
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Floxif family
  floxif
- Floxif, Floodfix
  Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
  backdoor trojan floxif
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- InfinityLock Ransomware
  Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
  ransomware infinitylock
- Infinitylock family
  infinitylock
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Detects Floxif payload
  backdoor
- Renames multiple (639) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1