API tools faq
paste
Advertisement
Neonprimetime

2018-04-12 GandCrab ransomware sample

Neonprimetime
Apr 12th, 2018
1,450
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.30 KB | None | 0 0
raw download clone embed print report
  1. found just in recent hybrid analysis submissions
  2. https://www.reverse.it/sample/93aac54d061ef795aa4cf2071b45a6b6164e227b40bd4e6cd8a2f290dcf58357?environmentId=100
  3. tagged as Trojan.Ransom.GandCrab.Gen
  4.  
  5. ----------
  6.  
  7. high cpu, almost no memory strings initially, no subprocesses initially either
  8.  
  9. -----
  10. interesting files found
  11. -----
  12. C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
  13. C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\CRAB-DECRYPT.txt
  14.  
  15. -----
  16. interesting child process
  17. -----
  18. nslookup
  19.  
  20.  
  21. ------
  22. interesting in memory strings
  23. ------
  24. 0x60000 (114): https://www.torproject.org/download/download-easy.html.en
  25. 0x80002 (524): .ani .cab .cpl .cur .diagcab .diagpkg .dll .drv .hlp .ldf .icl .icns .ico .ics .lnk .key .idx .mod .mpa .msc .msp .msstyles .msu .nomedia .ocx .prf .rom .rtp .scr .shs .spl .sys .theme .themepack .exe .bat .cmd .CRAB .crab .GDCB .gdcb .gandcrab .yassine_lemmou
  26. 0x1d0202 (104): C:\Users\xxx\AppData\Roaming\Microsoft\dbwxrl.exe
  27. 0x21f8b4 (44): /c shutdown -r -t 1 -f
  28. 0x21fb24 (15): fabian wosar <3
  29. 0x21fb58 (64): /c timeout -c 5 & del "%s" /f /q
  30. 0x21fe10 (26): \Tor Browser\
  31. 0x21fe2c (20): Ransomware
  32. 0x21ff5c (32): CRAB-DECRYPT.txt
  33. 0x21ffd4 (38): %s\CRAB-DECRYPT.txt
  34. 0x22001c (58): ipv4bot.whatismyipaddress.com
  35. 0x220484 (34): NortonAntiBot.exe
  36. 0x2204a8 (24): Mcshield.exe
  37. 0x2204c4 (24): avengine.exe
  38. 0x222002 (4288): ---= GANDCRAB V2.1 =---
  39.  
  40.  
  41.  
  42. Attention!
  43.  
  44. All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
  45.  
  46. The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
  47.  
  48.  
  49. The server with your key is in a closed network TOR. You can get there by the following ways:
  50.  
  51. 0. Download Tor browser - https://www.torproject.org/
  52.  
  53. 1. Install Tor browser
  54.  
  55. 2. Open Tor Browser
  56.  
  57. 3. Open link in TOR browser: http://gandcrab2pie73et.onion/xxx
  58.  
  59. 4. Follow the instructions on this page
  60.  
  61.  
  62. If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
  63.  
  64. 0. https://gandcrab2pie73et.onion.rip/xxx
  65. 1. https://gandcrab2pie73et.onion.plus/xxx
  66. 2. https://gandcrab2pie73et.onion.to/xxx
  67.  
  68. ATTENTION! Use regular browser only to contact us. Buy decryptor only through TOR browser link or Jabber Bot!
  69.  
  70.  
  71. On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
  72.  
  73.  
  74. The alternative way to contact us is to use Jabber messanger. Read how to:
  75. 0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
  76. 1. Register new account: http://sj.ms/register.php
  77. 0) Enter "username": xxxx
  78. 1) Enter "password": xxxx
  79. 2. Add new account in Psi
  80. 3. Add and write Jabber ID: ransomware@sj.ms any message
  81. 4. Follow instruction bot
  82.  
  83. It is a bot! It's fully automated artificial system without human control!
  84. To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
  85. You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
  86.  
  87. DANGEROUS!
  88.  
  89. Do not try to modify files or use your own private key - this will result in the loss of your data forever!
  90. 0x225060 (381): <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
  91. <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  92. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
  93. <security>
  94. <requestedPrivileges>
  95. <requestedExecutionLevel level='asInvoker' uiAccess='false' />
  96. </requestedPrivileges>
  97. </security>
  98. </trustInfo>
  99. </assembly>
  100. 0x2a8830 (282): \??\C:\Windows\zoteramexizosima keluxepu\??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
  101. 0x2a8a9a (172): zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
  102. 0x2b0848 (202): \??\C:\Windows\zoteramexizosima keluxepuvemirazelerinekabatigi sojerojezotolu di pasisulimurimejozuzu
  103. 0x2c9324 (190): \??\C:\$Recycle.Bin\S-1-5-21-3608051918-3224405108-2933264369-1000\$RUW5FIH\commithash.txt.CRAB
  104. 0x2ca8a8 (56): http://80.98.187.85/loaigeoa
  105. 0x2f5338 (22): dummy://url
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!