2018-11-02 - GANDCRAB RANSOMWARE INFECTION (VERSION 5.0.4)

ASSOCIATED FILES:

  • 2018-11-02-GandCrab-ransomware-infection.pcap   (2,214,579 bytes)
  • 2018-11-02-GandCrab-decryption-instructions.txt   (2,898 bytes)
  • 2018-11-02-desktop-background-for-GandCrab-infection-pidor.bmp   (3,145,782 bytes)
  • 2018-11-02-t.exe-from-92.63.197.48.exe   (142,336 bytes)
  • 2018-11-02-vnc.exe-from-92.63.197.48.exe   (159,744 bytes)

 

NOTES

There are a number of malicious executables on 92.63.197[.]48, and at least two of these are related to GandCrab ransomware.  Not sure what's causing traffic to 92.63.197[.]48, but I found a similar GandCrab infection caused by a JavaScript (.js) file seen in September 2018.  It's available at:

I tested one of the executable files from 92.63.197[.]48 on a Windows host in an Active Directory environment.  Today's pcap has the following characteristics:

This is a full pcap with internal activity to and from the domain controller, and it includes other web raffic not directly related to the GandCrab infection.  Of note, GandCrab post-infection traffic hits several apparently legitimate domains, so I'm not including that information in today's blog post.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and tor domain:

 

MALWARE

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Extracting the two GandCrab executables from the pcap using Wireshark.

 


Shown above:  Desktop from an infected Windows host.  Of note, the file extension used on the encrypted files is different for each infection.

 


Shown above:  When you first get to the GandCrab decryptor.  Of note, it's a different URL for each infection.

 


Shown above:  GandCrab decryptor page.  Of note, it's a different bitcoin or dash address for each infection.

 


Shown above:  Expand the browser to see some rage comic images.  What are rage comics, you ask?  Check out the f7u12 subreddit for examples.

 


Shown above:  Malware and artifacts on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.