API tools faq
paste
Advertisement
vk_intel

1-26-2018: GandCrab Ransomware Unpacked

vk_intel
Jan 26th, 2018
683
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.12 KB | None | 0 0
raw download clone embed print report
  1. ---= GANDCRAB =--- (unpacked)
  2. Hash: 7503351b46e00a2ca012bebc4ea6d3271a93a2711f41636753ffb61f2fec64d0
  3. https://www.virustotal.com/#/file-analysis/ZDY4NGRiMDA0NDJmYTg2N2FiZGNiZTRiYzlkMDNkY2I6MTUxNjk4MTc4NA==
  4.  
  5. RANSOMWARE VARIABLE:
  6.  
  7. ransom_id
  8. os_bit
  9. os_major
  10. pc_keyb
  11. pc_lang
  12. pc_group
  13. pc_name
  14. pc_user
  15. ransom_id=
  16. {USERID}
  17. %s%s
  18. open
  19. Global\
  20.  
  21. Process Check:
  22.  
  23. msftesql.exe
  24. sqlagent.exe
  25. sqlbrowser.exe
  26. sqlservr.exe
  27. sqlwriter.exe
  28. oracle.exe
  29. ocssd.exe
  30. dbsnmp.exe
  31. synctime.exe
  32. mydesktopqos.exe
  33. agntsvc.exeisqlplussvc.exe
  34. xfssvccon.exe
  35. mydesktopservice.exe
  36. ocautoupds.exe
  37. agntsvc.exeagntsvc.exe
  38. agntsvc.exeencsvc.exe
  39. firefoxconfig.exe
  40. tbirdconfig.exe
  41. ocomm.exe
  42. mysqld.exe
  43. mysqld-nt.exe
  44. mysqld-opt.exe
  45. dbeng50.exe
  46. sqbcoreservice.exe
  47. excel.exe
  48. infopath.exe
  49. msaccess.exe
  50. mspub.exe
  51. onenote.exe
  52. outlook.exe
  53. powerpnt.exe
  54. steam.exe
  55. thebat.exe
  56. thebat64.exe
  57. thunderbird.exe
  58. visio.exe
  59. winword.exe
  60. wordpad.exe
  61.  
  62. Delete command:
  63.  
  64. /c timeout -c 5 & del "%s" /f /q
  65. cmd.exe
  66.  
  67. POST REQUEST:
  68.  
  69. Content-Type: application/x-www-form-urlencoded
  70. curl.php?token=
  71. POST
  72. action=result&e_files=%d&e_size=%I64u&e_time=%d&
  73. action=call&
  74. &pub_key=
  75. &priv_key=
  76. &version=1.0
  77.  
  78. Directory Exclusion:
  79.  
  80. \ProgramData\
  81. \Program Files\
  82. \Tor Browser\
  83. Ransomware
  84. \All Users\
  85. \Local Settings\
  86. desktop.ini
  87. autorun.inf
  88. ntuser.dat
  89. iconcache.db
  90. bootsect.bak
  91. boot.ini
  92. ntuser.dat.log
  93. thumbs.db
  94. GDCB-DECRYPT.txt
  95. .sql
  96. %s\GDCB-DECRYPT.txt
  97. %c:\
  98. ipv4bot.whatismyipaddress.com
  99. %x%x
  100. undefined
  101. Domain
  102. SYSTEM\CurrentControlSet\services\Tcpip\Parameters
  103. WORKGROUP
  104. LocaleName
  105. Control Panel\International
  106. Keyboard Layout\Preload
  107. 00000419
  108. productName
  109. SOFTWARE\Microsoft\Windows NT\CurrentVersion
  110. SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
  111. error
  112. Itanium
  113. Unknown
  114. ProcessorNameString
  115. HARDWARE\DESCRIPTION\System\CentralProcessor\0
  116. Identifier
  117. 2ntdll.dll
  118. UNKNOWN
  119. NO_ROOT_DIR
  120. REMOVABLE
  121. FIXED
  122. REMOTE
  123. CDROM
  124. RAMDISK
  125. %I64u/
  126. %I64u
  127.  
  128. AV CHECK:
  129.  
  130. AVP.EXE
  131. ekrn.exe
  132. avgnt.exe
  133. ashDisp.exe
  134. NortonAntiBot.exe
  135. Mcshield.exe
  136. avengine.exe
  137. cmdagent.exe
  138. smc.exe
  139. persfw.exe
  140. pccpfw.exe
  141. fsguiexe.exe
  142. cfp.exe
  143. msmpeng.exe
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!