Fly above the malware sandbox
Add an expert automated malware analyst to your security stack
Platform Preview Image
Public Scans
YES, Ransomware (GandCrab variant)
This program is a sophisticated GandCrab ransomware variant exhibiting advanced anti-analysis and exfiltration capabilities. The malware uses a hybrid encryption scheme (RSA-2048 for key exchange and a custom symmetric block cipher for file encryption) to encrypt files on the infected system. It achieves persistence through the creation of a RunOnce registry key, ensuring re-execution on system reboot. A notable characteristic is its use of a hidden window and custom window messages for communication and control, enhancing its stealth. The malware also exfiltrates sensitive system information to a command-and-control (C2) server, enhancing its operational capabilities.
- The malware begins execution by checking for existing instances using a mutex (`FUN_100047d0`).
- It then attempts to terminate processes associated with security software and databases (`FUN_100048c0`).
- A hidden window is set up using `FUN_10002d30`, which then triggers the main malicious function (`FUN_10002ad0`) via a custom window message (`FUN_10002d10` and `FUN_10002c50`).
- The main function (`FUN_10002ad0`) attempts to self-replicate by copying itself to the %TEMP% directory or AppData folder and creates a RunOnce registry key for persistence (`FUN_10002960`).
- A ransom note is generated using `FUN_100042b0`, potentially containing a unique identifier based on system information.
- Cryptographic keys are generated and exported (`FUN_10006550`) and used for encryption.
- The malware iterates through drives and directories, identifying files to encrypt (`FUN_10006df0`), using filtering to exclude certain file types and paths (`FUN_100068f0` and `FUN_100069b0`).
- Files are encrypted using a hybrid encryption scheme in `FUN_100037b0`, with `FUN_100036d0` performing the core symmetric encryption, and `FUN_10006660` for RSA encryption, and `FUN_10008520` to derive keys and IVs.
- System information is exfiltrated to a C2 server (`FUN_10005860`), involving data collection (`FUN_10007490`), encoding (`FUN_10005dc0`, `FUN_10005e70`), and HTTP POST transmission (`FUN_100054f0`).
- The exfiltration results are sent back to the C2 server (`FUN_10005670`).
- Finally, the malware attempts to delete itself (`FUN_10005350`)
Reflective DLL Injection
Description
The malware uses a sophisticated reflective DLL loader to load its malicious code dynamically. This technique allows the malware to evade detection by security software that relies on static analysis or signature-based detection.
Detection
Monitor for unusual process creation events, especially those with unusual parent-child relationships and processes that load themselves from memory. Analyze memory snapshots for evidence of reflective DLL loading (custom checksums, MZ header in unusual memory locations, memory regions with self-relocating code).
Remediation
Implement robust endpoint detection and response (EDR) solutions that can detect and prevent reflective DLL injection. Regularly update antivirus and anti-malware software to include latest signatures.
Data Encryption
Description
The malware encrypts user files, rendering them inaccessible without a decryption key.
Detection
Monitor for unusual file access patterns or changes in file sizes. Look for files with the '.CRAB' extension.
Remediation
Implement regular backups of critical data. If infected, attempt data recovery using backup solutions and specialized tools. DO NOT pay the ransom.
Registry Persistence
Description
The malware establishes persistence by creating a registry key under RunOnce. This ensures the malware re-executes after a system reboot.
Detection
Monitor for the creation of registry keys under `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`. Specifically look for a key with the name 'PRIDURASHKA'.
Remediation
Delete the malicious registry key: `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PRIDURASHKA`.
Self-Replication
Description
The malware attempts to copy itself to the %TEMP% directory or the AppData folder.
Detection
Monitor for the creation of multiple instances of the malware executable in the %TEMP% directory or AppData folder.
Remediation
Delete the malicious copies of the malware from the system.
Process Termination
Description
The malware terminates processes associated with security software and database applications. This makes detection and response more difficult.
Detection
Monitor for the termination of processes such as `msftesql.exe`, `sqlagent.exe`, `sqlbrowser.exe`, `sqlservr.exe`, `sqlwriter.exe`, `oracle.exe`, and various antivirus/anti-malware processes.
Remediation
Review security logs for unauthorized process terminations and review security software configurations.
Data Exfiltration
Description
The malware exfiltrates sensitive system information to a C2 server using HTTP POST requests.
Detection
Monitor network traffic for outbound HTTP POST requests to suspicious domains or IP addresses. Look for requests containing the string 'popkadurak'. Analyze network traffic for unusual data volumes or patterns. Examine firewall logs for outbound connections. Analyze suspicious network traffic from affected machines.
Remediation
Implement network security monitoring tools to detect and block malicious outbound network traffic. Block connections to malicious domains or IP addresses. Review network traffic from affected machines.
Hidden Window Execution
Description
The malware uses a hidden window and custom messages to evade detection by basic monitoring methods.
Detection
Monitor for the creation of hidden windows with the class name 'win32app' and title 'firefox'. Analyze process and thread creation, specifically those originating from the hidden window context.
Remediation
Implement monitoring for hidden window creation. Remove the malware from the affected systems.
Anti-Analysis Techniques
Description
The malware uses multiple anti-analysis techniques to evade detection, such as checking for common virtual machine environments, anti-debugging measures, and CPU feature detection.
Detection
Use virtual machine and sandbox environments to analyze the malware's behavior. Use advanced debugging techniques to analyze the malware. Monitor system performance for unusually high CPU or memory usage, especially in connection with the malware. Analyze system memory for unusual patterns or values (e.g., custom checksum values). Analyze system logs for unusual events. Implement anti-debugging and anti-virtual machine detection. Monitor system events and system calls to detect the malware.
Remediation
Use advanced analysis techniques and tools to detect and remove the malware. Ensure system security software is up to date and configured to detect the malware.
Ransom Note Display
Description
The malware displays a ransom note ('GandCrab!') to the user.
Detection
Monitor for the display of a ransom note containing the string 'GandCrab!' on the affected systems.
Remediation
Remove the malware and the ransom note from the system.
Detection
gdcb.bitpolitiaromana.bitmalwarehunterteam.bitipv4bot.whatismyipaddress.comSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncePRIDURASHKAGandCrab.Crabpopkadurakklif.sys%windir%\system32\wbem\wmicGlobal\\<random_string>Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36rule Ransomware_System_Info_Collection {
meta:
description = "Detects potential ransomware system information collection"
author = "Generated from IOCs"
severity = "High"
created = "2024-11-12"
strings:
$s1 = "pc_user" ascii wide
$s2 = "pc_name" ascii wide
$s3 = "pc_group" ascii wide
$s4 = "pc_lang" ascii wide
$s5 = "pc_keyb" ascii wide
$s6 = "os_major" ascii wide
$s7 = "os_bit" ascii wide
$s8 = "ransom_id" ascii wide
condition:
// Looking for at least 4 of these strings to reduce false positives
// while maintaining detection capability
4 of them
}rule Malicious_Network_Communication {
meta:
description = "Detects suspicious network communication patterns and domains"
author = "Generated from IOCs"
severity = "High"
created = "2024-11-12"
reference = "Domain and HTTP traffic patterns"
strings:
// Suspicious domain
$domain = "popkadurak" ascii wide nocase
// HTTP headers and content patterns
$http_header = "Content-Type: application/x-www-form-urlencoded" ascii
// POST data pattern
$post_data = "action=result&e_files=%d&e_size=%I64u&e_time=%d&" ascii
condition:
// Match any of these suspicious indicators
any of them and
// Additional context: typically found in network communication
// so we look for common protocol markers
(
$domain or
($http_header and $post_data)
)
}rule GandCrab_Ransomware_Indicators {
meta:
description = "Detects GandCrab ransomware indicators including extensions and strings"
author = "Generated from IOCs"
severity = "High"
created = "2024-11-12"
malware_family = "GandCrab"
strings:
// Ransomware name and markers
$str1 = "GandCrab" ascii wide nocase
$str2 = "PRIDURASHKA" ascii wide
// File extension
$ext = ".CRAB" ascii wide
// Hex pattern (both as hex and decoded UTF-16LE string)
$hex1 = { 43 00 2e 41 00 52 42 } // "C.A.R.B" in UTF-16LE
$hex2 = "C.A.R.B" wide // Alternative matching
condition:
// Require combinations of indicators for higher confidence
2 of ($str*) and (
$ext or
$hex1 or
$hex2
) and $lib
}