2018-04-10 - GANDCRAB RANSOMWARE INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2018-04-10-GandCrab-malspam-example.eml   227 kB (227,109 bytes)
  • Zip archive of the infection traffic:  2018-04-10-Gandcrab-infection-traffic.pcap.zip   226 kB (226,127 bytes)
    • 2018-04-10-Gandcrab-infection-traffic.pcap   358 kB (357,722 bytes)
  • Zip archive of the malware & artifacts:  2018-04-10-Gandcrab-infection-malware-and-artifacts.zip   494 kB (495,536 bytes)
    • 2018-04-10-CRAB-DECRYPT.txt   4.2 kB (4,218 bytes)
    • 2018-04-10-Gandcrab-Decryptor-BTC.html   15.8 kB (15,791 bytes)
    • 2018-04-10-Gandcrab-Decryptor-DASH.html   15.7 kB (15,724 bytes)
    • 2018-04-10-Gandcrab-Decryptor-Support.html   10.9 kB (10,875 bytes)
    • 2018-04-10-Gandcrab-Decryptor-index.html   10.6 kB (10,623 bytes)
    • 2018-04-10-Gandcrab-Decryptor-test-decrypt.html   9.9 kB (9,931 bytes)
    • 2018-04-10-Gandcrab-binary.exe   301 kB (301,064 bytes)
    • DOC3660738334.doc   169 kB (169,472 bytes)
    • DOC3660738334.zip   170 kB (169,604 bytes)

    NOTES:

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

     

    EMAIL


    Shown above:  Screenshot of the email.

     


    Shown above:  Screenshot of the email headers.

     

    EMAIL HEADERS:

    Received: from [0.0.0[.]0] ([176.103.214[.]54]) by [removed] for [removed];
         Mon, 9 Apr 2018 14:48:03 +0000
    Received: from onnkhzpwbq ([218.67.134[.]206]) by 4779[.]com with MailEnable ESMTP;
         Mon, 9 Apr 2018 17:47:55 +0300
    Received: (qmail 48365 invoked by uid 483); 9 Apr 2018 17:47:52 +0300
    From: Brady Phillips <Brady99@4779[.]com>
    Subject: Order #48365
    Date: Mon, 9 Apr 2018 17:47:55 +0300
    Message-ID: <48365046546570.5259.qmail@isclkg>

     


    Shown above:  Extracting the Word document from the attached zip file.

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     


    Shown above:  DNS traffic to unusual hosts that returned IP addresses for HTTP traffic to ransomware[.]bit.

     

    TRAFFIC FROM AN INFECTED WINDOWS HOST:

    DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

     

    FILE HASHES

    ZIP ARCHIVE FROM THE EMAIL:

    WORD DOCUMENT EXTRACTED FROM THE ABOVE ARCHIVE:

    MALWARE BINARY RETRIEVED AFTER ENABLING MACROS:


    Shown above:  Gandcrab ransomware persistent on an infected Windows host.

     

    IMAGES FROM AN INFECTION


    Shown above:  Partial screenshot from the desktop of an infected Windows host.

     


    Shown above:  A screenshot of today's Gandcrab ransomware decryptor.

     


    Shown above:  Decryptor instructions for paying the ransom with Dash cryptocurrency.

     


    Shown above:  Decryptor instructions for paying the ransom with Bitcoin cryptocurrency.

     

    Click here to return to the main page.