Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found just in recent hybrid analysis submissions
- https://www.reverse.it/sample/93aac54d061ef795aa4cf2071b45a6b6164e227b40bd4e6cd8a2f290dcf58357?environmentId=100
- tagged as Trojan.Ransom.GandCrab.Gen
- ----------
- high cpu, almost no memory strings initially, no subprocesses initially either
- -----
- interesting files found
- -----
- C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
- C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\CRAB-DECRYPT.txt
- -----
- interesting child process
- -----
- nslookup
- ------
- interesting in memory strings
- ------
- 0x60000 (114): https://www.torproject.org/download/download-easy.html.en
- 0x80002 (524): .ani .cab .cpl .cur .diagcab .diagpkg .dll .drv .hlp .ldf .icl .icns .ico .ics .lnk .key .idx .mod .mpa .msc .msp .msstyles .msu .nomedia .ocx .prf .rom .rtp .scr .shs .spl .sys .theme .themepack .exe .bat .cmd .CRAB .crab .GDCB .gdcb .gandcrab .yassine_lemmou
- 0x1d0202 (104): C:\Users\xxx\AppData\Roaming\Microsoft\dbwxrl.exe
- 0x21f8b4 (44): /c shutdown -r -t 1 -f
- 0x21fb24 (15): fabian wosar <3
- 0x21fb58 (64): /c timeout -c 5 & del "%s" /f /q
- 0x21fe10 (26): \Tor Browser\
- 0x21fe2c (20): Ransomware
- 0x21ff5c (32): CRAB-DECRYPT.txt
- 0x21ffd4 (38): %s\CRAB-DECRYPT.txt
- 0x22001c (58): ipv4bot.whatismyipaddress.com
- 0x220484 (34): NortonAntiBot.exe
- 0x2204a8 (24): Mcshield.exe
- 0x2204c4 (24): avengine.exe
- 0x222002 (4288): ---= GANDCRAB V2.1 =---
- Attention!
- All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
- The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
- The server with your key is in a closed network TOR. You can get there by the following ways:
- 0. Download Tor browser - https://www.torproject.org/
- 1. Install Tor browser
- 2. Open Tor Browser
- 3. Open link in TOR browser: http://gandcrab2pie73et.onion/xxx
- 4. Follow the instructions on this page
- If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
- 0. https://gandcrab2pie73et.onion.rip/xxx
- 1. https://gandcrab2pie73et.onion.plus/xxx
- 2. https://gandcrab2pie73et.onion.to/xxx
- ATTENTION! Use regular browser only to contact us. Buy decryptor only through TOR browser link or Jabber Bot!
- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
- The alternative way to contact us is to use Jabber messanger. Read how to:
- 0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
- 1. Register new account: http://sj.ms/register.php
- 0) Enter "username": xxxx
- 1) Enter "password": xxxx
- 2. Add new account in Psi
- 3. Add and write Jabber ID: ransomware@sj.ms any message
- 4. Follow instruction bot
- It is a bot! It's fully automated artificial system without human control!
- To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
- You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
- DANGEROUS!
- Do not try to modify files or use your own private key - this will result in the loss of your data forever!
- 0x225060 (381): <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
- <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
- <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
- <security>
- <requestedPrivileges>
- <requestedExecutionLevel level='asInvoker' uiAccess='false' />
- </requestedPrivileges>
- </security>
- </trustInfo>
- </assembly>
- 0x2a8830 (282): \??\C:\Windows\zoteramexizosima keluxepu\??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
- 0x2a8a9a (172): zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
- 0x2b0848 (202): \??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
- 0x2c9324 (190): \??\C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
- 0x2ca8a8 (56): http://80.98.187.85/loaigeoa
- 0x2f5338 (22): dummy://url
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement