Overview of GandCrab ransomware
1:
History and development of GandCrab:
The
first generation of GandCrab was first discovered in the world in January 2018.
Since then, this malware has been continuously improved by hackers and upgraded
over 4 generations with increasing levels of sophistication and complexity.
This is
a malicious code that will encrypt all the data in your computer and require a
ransom to get the decryption key.
2:
Spreading Mechanism:
GandCrab spreads by sending the victim a fake email,
which urges the victim to open the text file attached to the email. In fact,
this attachment contains a virus, if the victim opens the file, the computer
will be infected.
3: How to identify the version:
Overview of GandCrab version 5.2
1:
Introduce:
The
GandCrab Version 5.2 ransomware targets all versions of Windows including
Windows 7, Windows 8.1 and Windows 10. This infection is notable due to how it
encrypts the user’s files – namely, it uses Salsa20 encryption
method – in order to ensure that the affected user has no choice but to
purchase the private key.
Ransom
required: 1200$ by Bitcoin or DASH.
Probably the biggest change in GANDCRAB so far is that
the ransomware virus does not add a random file extension, but renames the
whole encrypted file to A-Z, a-z, 0-9 randomly generated name. And what is even
worse is that each file is renamed differently with different file name length.
Once the GANDCRAB 5.2 ransomware virus causes an
infection on the computers, compromised by it, the virus immediately spaws the
randomly named executable file
2:
Computer infected:
The ransom note file has the
following message to victims, asking them to visit a TOR-based web page
The
sample containing the malware used
Name: GandCrab52.exeType: PE32 executable (GUI) Intel 80386, for MS Windows
Size: 101376 KB
MD5: 78efe80384fa759964c9ea8bada3ac8d.
Behavioral analysis using tool Cuckoo Sandbox
1:
Prepare Tools:
-
Cuckoo Sandbox version 2.0.7 (Time out 3 minutes)
-
Virtual Box run Windows 10 (Turn off Windows Defender).
2:
Target after analysis:
-
Understand the activities on the system
-
Retrieve activity logs
-
Make predictions about malware functions
3:
Analysis process:
3.1: First
analysis:
Result:
Malware
not alive and has terminated after being
launched in the sandbox.
Guess: GandCrab
5.2 has the ability to detect the virtual machine environment to not run the
next functions.
3.2: Second Analysis:
(Screenshots
are reported from Cuckoo)
(Image of encrypted files and
GandCrab sent a txt file to notify ransom)
Result from from the collected images:
-
Encrypted files cannot be opened with the
file extension is “.hifboohk”
-
Each folder has a txt file with
information how to retrieve the
data
-
Within 3 minutes, all files containing
data were encrypted, except files on the Desktop.
-
Within 3 minutes, wallpaper has not been changed.
3.3:
Result of classifying malware from Cuckoo:
Score: 0
Cuckoo could not detect that
GandCrab was malicious.
4: Results
after analysis:
After analyzing the image reports and
activity logs, the results are as follows:
Result:
-
GandCrab undetected by Cuckoo sandbox
-
GandCrab need to use the internet to connect to the server before performing
encryption behavior
-
GandCarb
will encrypt data files in the victim's computer.
-
GandCrab
will leave notice of how to transfer money to retrieve data in all folders
which encrypted data.
Guess:
GandCrab can detect virtual machine environment to avoid being analyzed
GandCrab have time delay before change wallpaper and encrypt data in Desktop.
Network
Prepare Tools
FakeNet (windows network simulation)
Netcat (writing to network connections using TCP or UDP)
ApateDNS (controlling DNS responses)
Wireshark (read file .pcap)
Process Monior + Process Explorer (display process malware )
Analysis process:
4.1: First analysis:
Result:
-
Malware connected to domain www.kakaocorp.link
-
Analysis domain www.kakaocorp.link
o
IP Address: 185.52.2.154
o
Location: Netherlands
o
Reputation Status: has blacklisted url
4.2: Second Analysis:
Malware connected to domain www.kakaocorp.link too
Estimate runtime from virus started until all file in Desktop is
encrypted:
4
minutes
Process of GandCrap:
GandCrab5.2.exe
- - Command Execute: “C:\Users\Nguyen Ngoc\Desktop\GandCrab5.2.exe”
- - Monitor Duration: 4 minutes
- Command Execute :“C:\Windows\system32\wbem\wmic.exe” shadowcopy delete
- Monitor Duration: 3 seconds
File paths encrypted:
Private stored in:
- Path: Computer\HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\WOW6432Node\keys_data\data
- Binary type
(keys stored in regedit)
- Ascii
text:
(Keys encrypted)
Registry detect virtual machine:
Path :
“HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier”
(Registry records when GandCrab running)
Compare file before GandCrab and after GandCrab:
Text file
Zip file
Under the hood
Code
behavior analysis:
Exif
information
IAT
address at 013000 with size 0001d8, time-stamp: Feb 16, 2019
Sections:
ADVAPI32 - The Windows API, informally WinAPI, is Microsoft’s core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems.
We can see functions called to related to Windows registry, services, applications and user accounts.
Functions
called in Kernel.dll:
This is a very common DLL and has an important core
function, allowing access to manipulate memory, files, and hardware systems.
There are many important functions that Gandcrab called.
We can see that Ntdll is imported,
Executing tasks usually do not directly add this file at run time, but it is
always indirectly added via Kernel32.dll file. If an executable
process adds this file, it means that the author intends to use the hidden
function for Windows programs. Some tasks, such as hiding functions or
operating processes, will use this interactive interface.
The
user-mode hooking technique commonly targets the Native
APIs provided by ntdll.dll. It is because most malware
uses resources related to process, memory, or file input. In doing so, most
APIs must call the system call via ntdll.dll.
Gandcrab
use technique to detect sandbox.
The
Rpcrt4.dll file is a file associated with the Remote Procedure
Call program, and is used by a number of Windows applications for network and
Internet connections, which allow computers and devices to communicate between
one another in order to keep your computer in perfect working order. Because
this file is a dynamic link library file, this means that it has a specific
function that it must carry out in order to keep your system working.
WSock32.dll
and Ws2_32.dll
These
are network DLLs. Gandcrab can be accessed by using the most common connection
types to the network or performing network-related tasks.
Wininet.dll
containing more advanced network functions such as implementing protocols such
as FTP, HTTP, and NTP.
The function InternetOpenW is called in 407EE2
to open proxy, fake dns localhost and connect with server.
In 40E3F8, GandCrab uses GlobalAlloc
to allocate memory. And Call the Writefile function to overwrite
files, it encrypts all collected information with XOR and sends it to the
Command-and-Control server.
Gandcrab uses named pipes to communicate but
also it uses this unique id that was referenced above. The following screenshot shows the routine in
which it is created.
So we can see here that it uses the CreateNamedPipeA
in 410CF8 command to setup the named pipe that it subsequently reads/writes
from.
End of the function, Call 40D9B4 to
call VirtualFree function with dwFreeType parameter is MEM_RELEASE
(zero). The function frees the entire region that is reserved in the initial
allocation call to VirtualAlloc.
AhnLab, a leader in cyber threat analysis, fought
against GandCrab ransomware to mitigate attacks and effectively respond to the
constantly changing attack methods. GandCrab ransomware shares an extraordinary
history with AhnLab. Just like any other ransomware, GandCrab searches for any
running or pre-installed anti-malware program before interfering with its
normal execution and shutting it down. However, GandGrab was found making an
extra effort. GandCrab directly targeted ‘AhnLab’ and its anti-malware program,
‘V3 Lite,’ by mentioning it in its code. GandCrab even revealed the
vulnerability of AhnLab V3 and made attempts to delete the program
GandCrab’s creator continued to insult AhnLab by
adding an insulting text towards AhnLab in GandCrab v5.2. GandCrab v5.2
incorporated a time-delay technique to disturb the dynamic
analysis. GandCrab v5.2 included “AnaLab_sucks” text string within the Window
procedure class name that enables the SetTimer function. ‘AnaLab’ can be
assumed as a typo for AhnLab. Nonetheless, the creator of GandCrab consistently
mentioned ‘V3 Lite’ and ‘AhnLab’ directly within their distributed strings.
The ransomware generates private and public keys using
Microsoft Cryptographic Provider and the following APIs:
When the encryption is over, GandCrab opens a
<randomType>-DECRYPT.txt file that is the ransom note. These are just
some functions that we analyzed, part 2 may coming soon.
The encryption of
GANDCRAB 5.2 ransomware is done via Salsa20 encryption algorithm. This cipher
aims to replace data from the files on the infected computer with blocks of
encrypted data. The virus does not encrypt the whole file, but rather only
portions of it, enough to make it seem corrupt and unstable. And what is worse,
GANDCRAB 5.2 ransomware uses CBC mode for its file encryption procedures. This
mode looks like the image we posted below and it basically breaks
your files if you try to change their extension or tamper with them:
Restore Files – Decrypt Salsa20
This repository contains Python3 scripts that can decrypt files encrypted with the Gandcrab 5.2 ransomware: https://github.com/aguinet/crappy
Decryption happens in two steps. The first one recover the "user" private RSA key that has been encrypted thanks to the so-called master key (originally only owned by the ransomware authors). The second one uses this recovered RSA private key to decrypt the files.
It uses the RSA private master key released by FBI/Europol on 2019/07/15
Thanks, NgocNB, DuongDT and DatDQ
