GANDCRAB v5.0.4 is the latest version of the nefarious GandCrab cryptovirus. The virus will encrypt your files and the criminals behind it will try to extort money from you to allegedly recover your files back to normal and return your computer to its original operation state before it was struck with GandCrab.
Ransom.GandCrab is Malwarebytes’ detection name for a family of ransomware that encrypts important files and asks for a ransom to decrypt them. There are several versions of Ransom.GandCrab as the threat actors keep working on it. They all target Windows systems.Ransom.GandCrab scans the infected system and any network shares for files to encrypt. You can recognize the version of GandCrab by looking at the extensions the encrypted files have:
- Version 1 gives the .gdcb extension
- Version 2 and 3 give the .crab extension
- Version 4 gives the .krab extension
- Version 5 gives a randomized 5 letter extension
Ransom.GandCrab is spread in many different ways:
- exploit kits
- social engineering
- fake cracked software sites
List of things I covered in this video:
Dynamic & Static Analysis
- Regshot – before & after the attack to identify the changes and analyse the malware further.
- Wireshark Traffic Analysis.
- Running Adobe Patches(Fake Patches for Acrobat Distiller).
- Ransomware Attack Occurred.
- Wireshark – Traffic Analysis on the go and we will see how the attack occurred and connected to CNC server in multiple location such as Germany & China.
- Run CFF explorer to see the website link.
- EXEinfo PE to know more about the malware.
Basic Malware Analysis Tools
Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors.
Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program.
Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey.
CFF Explorer is a PE Editor by Daniel Pistelli and is also part of the NTCore Explorer Suite. CFF Explorer has a lot of the same functionality that you’ll find in the other tools. However, there are some noticeable advantages to the tool.
For starters, the interface is likely easier to navigate than tools like FileAlyzer, and CFF Explorer also brings some new features we haven’t seen in the tools I’ve already mentioned. Some of those features include a file identification, address conversion, dependency scanning, and the ability to add imported functions to a PE.
Exeinfo PE is a lightweight program that usually answers one of my main questions: what am I looking at? Even when the program fails to give you the exact information you may be looking for, it provides nice hints that in turn help you to streamline the process of identifying a file.
Exeinfo PE has an interface that is somewhat reminiscent of the now unsupported PEiD that many analysts still use, however, unlike PEiD, Exeinfo PE is actively developed and maintained. Exeinfo PE is good about telling you most of the information you care about up front and has most of the features analysts are looking for.
As we have covered the malware analysis basics with static techniques, lets have a look at the basic analysis of malware using dynamic technique.
Dynamics Malware Analysis
Please know Dynamic Malware Analysis can put your system and network at risk, you will be executing real malware to analyse its behavior. I advise you to only execute malware on virtual machines or dedicated systems in isolated networks which are not connected to the internet. You may noticed in the video how GandCrab Ransomware encrypt the files in the video. List of open source applications I used during dynamic analysis are listed below.
Regshot is a great open source utility to monitor your registry for changes by taking a snapshot which can be compared to the current state of your registry. This allows you to see the changes made to your registry after the malware has been executed on your system. Once the wallpaper turned into ransom note, I noticed there are 79 new registry keys were added.
Wireshark is one of the best network protocol analyser tools available, if not the best. If you didn’t know Wireshark, you probably wouldn’t be reading this article about Dynamic Malware Analysis. Wireshark is used to analyse a network to the greatest detail to see what is currently happening and capture packets to files. Wireshark can be used for live packet capturing, deep inspection of hundreds of protocols, browse and filter packets and is multiplatform. When performing Dynamic Malware Analysis Wireshark can be used to inspects packets and log network traffic to files.
I also noticed that the patches were connected to virtual hosts in two different location. One in Germany & the second one in China which further encrypted the files saved in windows 7 virtual machine.
Please checkout the video to know more about dynamic analysis (didn't get enough time to record audio and in depth explanation on GandCrab Ransomware, if interested to know more about ransomware. Feel free to contact me) and how quick GandCrab 5.04 Ransomware attacks the target windows 7 machine. The suspicious file which was executed during the dynamic analysis is the file generated from Acrobat Adobe Distiller patch(downloaded from fake cracked website).
Malware analysis is a critical skill in the information security community. If you need any assistance in malware analysis, I can assist you to leap through the complicated steps of static and dynamic malware analysis in an easy and proactive way.