[Editor’s Note: This post was updated on July 9th, 2018 with analysis of Gandcrab v4]
Like legitimate commercial software, commercial malware also needs a viable business model. For ransomware, the most popular business model is now Ransomware-as-a-Service (RaaS). RaaS focuses on selling ransomware as an easy-to-use service, opening up a broader market of non-technical attackers. Many ransomware developers now focus on developing and maintaining a service which allows their affiliates (customers) to start attacks with just a few clicks.
In the past few months, the RaaS-space was dominated by a relatively new malware family: GandCrab.
Gandcrab’s Distribution Methods
We’ve seen Gandcrab being distributed using two primary methods:
- Javascript and Doc downloaders attached to e-mails
- Drive-by download using exploit kits
Javascript Droppers
Javascript Dropper #1
View the VMRay Analyzer Report
A common distribution method is zipped Javascript droppers attached to emails.
After deobfuscating itself the javascript executes a Powershell one-liner to download and execute a file, Gandcrab v2 (internal version 1.2.0).
Dropper: b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc
Dropped Gandcrab v1.2.0: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9
Unpacked DLL: ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072
Javascript Dropper #2
View the VMRay Analyzer Report
Javascript Dropper #2 doesn’t use PowerShell. Instead, it downloads the file and executes it directly. The payload is Gandcrab v3 (internal version 3.3.0).
Dropper: e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c
Dropped Gandcrab v3.0.0: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8
Unpacked DLL: 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71
Doc Droppers
Doc Dropper
View the VMRay Analyzer Report
Doc Droppers use the same logic as the Javascript Droppers, but implemented in VBA. This sample contains an 800 line VBA script like this snippet:
The end result is another PowerShell one-liner, which downloads an EXE to a temporary directory, and executes it.
Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
Dropped Gandcrab v2.3.1: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
Unpacked DLL: f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01
Encrypted Doc Dropper
View the VMRay Analyzer Report
A more recent spam campaign used encrypted doc files, with the emails containing the password to open the doc: 123123. This dropper executed the sample (Gandcrab v3.0.1) directly with VBA, without Powershell.
E-mail: b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b
Dropper: be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f
Dropped Gandcrab v3.0.1: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
Unpacked DLL: 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770
Exploit Kits
Attackers also used multiple exploit kits: Grandsoft, RIG and Magnitude.
Using a browser exploit kit is a tradeoff from the attacker’s point-of-view. If the victim has an unpatched version of browser or flash player, they only need to click a link to get infected. It is much easier for the attacker to get someone to click a link than to get them to download and execute a file — but the attack won’t work if the potential victim has even roughly up-to-date software.
RIG EK
View the VMRay Analyzer Report
RIG is a popular exploit kit, which has recently been updated with a newer Flash exploit (CVE-2018-4878). It used the new exploit for dropping Gandcrab, observed on April 9 by @nao_sec.
As visible on the sandbox report and the packet capture, this attack vector exploited Adobe Flash Player, downloaded and executed Gandcrab v3.0.1.
RIG used the Flash exploit for CVE-2018-4878. This happened before a new exploit for an Internet Explorer vulnerability (CVE-2018-8174) was implemented in RIG.
CVE-2018-4878 is also a relatively new vulnerability – on February 1st Adobe released a bulletin, informing users that a Flash player zero-day is being used in the wild, and followed up with a patch on February 6th. The exploit uses a use-after-free bug in Flash Player’s DRM implementation. The downloaded SWF file is partly obfuscated, but it contains some debug symbols, making some key parts of the exploit easy to spot, like the class UAFGenerator.
The payload of the exploit is visible in the sandbox report – cmd.exe is called to drop and execute a javascript downloader.
Even after a little bit of deobfuscation, the downloader activity becomes clear:
The downloaded file is dropped in the %TEMP% directory with the name b**.exe, where ** is a number in the [0, 56] range. At the end the dropper executes the downloaded Gandcrab v3.0.1 payload.
Exploit (swf): ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc
Downloader (js): 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725
Dropped GandCrab v3.0.1: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94
Unpacked DLL: 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e
Grandsoft EK
View the VMRay Analyzer Report
Grandsoft is an exploit kit which is used far less frequently, it made a comeback with dropping GandCrab, spotted on January 30 by
@kafeine.
The attack is visible in the VMRay Analyzer Report:
For an old Internet Explorer version, the exploit kit served CVE-2016-0189, an exploit of a memory corruption vulnerability in Internet Explorer’s vbscript.dll. This is an old vulnerability, patched in May 2016, which allows running arbitrary vbscript code on unpatched systems.
The VBS exploit code is obfuscated, but still readable. The downloader is in the fire() function. It first downloads the file (See Figure below):
It then executes the downloaded file, depending on its extension:
The full control flow shows the exploited Internet Explorer process downloaded an exe file (Gandcrab v2.1, internal version 3.0.0), and executed it with cmd.exe. The Process Graph shows the Gandcrab packer injected its DLL payload into svchost.exe.
Exploit: a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94
Dropped file: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff
Injected dll: 469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181
Packer
Gandcrab uses its own packer, which has only changed a little through all the versions.
Sandbox Evasion: API hammering
Even the first versions of Gandcrab used API hammering, a very simple sandbox evasion technique. The technique calls an API function in a loop, hoping the analysis will time out before reaching any malicious behavior. This can be effective against sandboxes which handle the loop slowly – the slower a sandbox is, the more dramatic are the effects of API hammering.
Gandcrab’s packer often mixes the technique with one of the two following techniques:
- Doing something in the loop that’s necessary for the execution to continue. This ensures that the loop can’t simply be detected as unnecessary and skipped automatically.
- Loop cycles where no APIs are called.
Each version of the Gandcrab packer uses different API functions, and iteration numbers, but the principle is the same.
In this v1.0 sample the loop is repeated 200 million times, but only one of its iterations is useful:
Sample SHA256: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d
In this v3.0.0 sample the loop gets the temp path and allocates memory, but takes 5 million loops to do it:
Sample SHA256: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8
Reflective Loader
Gandcrab v2’s (internal version v.1.0.0r), main functionality is moved to a DLL. The DLL’s name is “encryption.dll”, and only exports the entry point, and a function named ReflectiveLoader()
The packer calls the ReflectiveLoader function, loads the DLL and starts the malicious activity which is in DLLMain.
The DLL is loaded in the same process for most samples, but with Gandcrab 3.0.0 it was observed injecting the DLL into a newly spawned svchost process.
Sample SHA256: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff.
String Obfuscation Method
The packer and the payload use the same method to obfuscate strings used as API parameters for many calls: simply moving them to the stack in 4-byte blocks before the calling a function which uses them as a parameter. @hasherezade made a deobfuscator IDA plugin for this technique.
Function resolution within the packer.
Function resolution within the packer.
Easter Eggs for Researchers
The packer and payload also contain messages to researchers who made a public impact on Gandcrab, or ransomware in general.
If a file exists in the C:\MalwarebytesLabs directory , a message to Marcelo Rivero pops up.
Fabian Wosar’s name is used as a placeholder string multiple times per sample.
Communication with the C&C is encrypted with a hardcoded key. Since the release of Gandcrab v2, this key is computed using the string “europol” – the name of the agency partly responsible for creating a decryptor for v1.
Gandcrab v4 Packer
Version 4.0 of Gandcrab rewrites large parts of the ransomware with many previously implemented features missing. The removed features include parts of the packer.
The packer doesn’t use the reflective DLL loading method anymore, and reverts to simply replacing parts of its own process in memory.
Besides the removal of the DLL loading technique, a new obfuscation technique was added to the beginning of the packer. The technique starts by moving the obfuscated code to the stack in 4-byte blocks, like the string obfuscation method from previous versions. After this, the packer proceeds to use subtractions and additions to deobfuscate the code on the stack.
The first samples of v4.1 we’ve seen were unpacked, but later samples were packed with the same packer as v4.0.
Gandcrab Payload History
Gandcrab v1
The GandCrab payload exhibits stereotypical ransomware behavior: it encrypts user files with a key unique to the victim, and drops ransom notes with instructions to pay the ransom in exchange for the key.
Gandcrab was first publicly discovered by security researcher David Montenegro in late January 2018. In one month the family had over 50,000 victims. Unusually, the ransom needed to be payed in the crypto-currency DASH, now they also accept bitcoin. We analyzed GandCrab v1 in our January Malware Analysis recap blog.
At the end of February, a decryptor was published for GandCrab v1 in a joint effort by the Romanian Police (IGPR), Bitdefender and Europol.
Gandcrab v2
On March 5th, just a week after the decryptor was released, a new Gandcrab version was spotted by @MalwareHunterTeam. The decryptor from the previous week doesn’t work with the newer version. It also uses a new extension (.CRAB), has different hardcoded domains, and moves the code to a DLL. It also looks for kernel-mode components of Antivirus software.
Internal Version and Ransom Note
Gandcrab’s ransom notes contain a version number, and the payload contains another, “internal” version number, which is sent over the network when connecting to the C&C. Most often these two version numbers don’t match (see example below where the ransom note indicates version 2.1).
Sample SHA256: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f).
Internal version number reported to the C&C for the same sample is 2.3.2.
Gandcrab v3
A Gandcrab sample with internal version 3.0.0 was spotted on Apr 23 by @nao_sec, later followed by v3.0.1 first published by @zsawei on May 9th. Version 3.0.0 added support for changing the wallpaper.
Discrepancies Between v3.0.0 Samples
It was observed that two samples with the same internal version number (3.0.0) had different capabilities: one of the samples injects its payload into a new svchost process while another one doesn’t start a new process, but can now change the wallpaper.
Gandcrab v3.0.1
View the VMRay Analyzer Report
Packed sample: 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559
Unpacked DLL: e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1
Usually the single difference between v3.0.0 payloads and v3.0.1 payloads is the user agent, and everything else is the same.
Old User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
The new User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Everything else is the same.
Discrepancies Between v3.0.1 Samples
The sample discovered by @zsawei was very different — it was compiled without certain functions, which have been there in previous versions: wallpaper changing, autorun, search for kernel-mode antivirus.
Missing functions:
Packed sample: 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363
Unpacked DLL: 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133
Gandcrab v4
Gandcrab Version 4.0 appeared in the wild on July 1st, 2018. On July 5th, we found an updated v4.1 version.
Gandcrab v4 has brought many changes from previous versions including modifications replacing most of the code and a focus on quickly encrypting, then disappearing from the system. Below are the changes in v4 from previous versions.
- The new extension of encrypted files is KRAB, and the ransom note is named KRAB-DECRYPT.txt
- The ransom note contains a private and a public key.
- The keys are also written to the registry in “HKEY_CURRENT_USER\SOFTWARE\keys_data\data”
- A new encryption algorithm is used.
- The ransomware now also looks for network shares in a separate thread.
- Hidden .lock files are dropped into the folders before encrypting contents of the folder
- Gandcrab v4.0 doesn’t connect a C&C. The ransomware still collects the same data it did on previous versions, (except for the external IP address), and it also creates the string which it would upload to the server, it just doesn’t send it.
- In v4.1 the C&C connection is back, and it has a URL generation algorithm, replacing the hardcoded URLs seen in v3
- The encryption happens on a different thread than the C&C communication, and the files are encrypted even if the C&C could not be connected.
- Gandcrab removes itself after it’s done.
Removed Features:
-
- There is no autorun. Gandcrab runs once, then deletes itself.
- The wallpaper isn’t changed
- The mutex is not created
- No kernel-mode AV checking
- Doesn’t query the machine’s public IP address from ipv4bot.whatismyipaddress.com
Payload Control Flow
Most of Gandcrab’s activity is constant through the versions. The screenshots below show Gandcrab v3’s control flow:
Data collection and preparation
Gandcrab first collects data about the system and generates private and public keys.
Domain
Queries the domain the system belongs to.
Processor Name
Queries the processor name and type.
Mutex
Generates the ransom ID and creates a mutex. This step is skipped in Gandcrab v4.
Kernel-Mode AV
In v2 and v3, Gandcrab starts a thread to look for kernel-mode antivirus components.
List of detected kernel-mode AV-components:
- klif.sys (Kaspersky)
- kl1.sys (Kaspersky)
- fsdfw.sys (F-Secure)
- srtsp.sys (Symantec)
- srtsp64.sys (Symantec)
- NavEx15.sys (Symantec)
- NavEng.sys (Symantec)
Closing Processes
Samples contain a list of hardcoded process names, which are terminated before encryption starts. Otherwise the processes could have open handles to important files, and the ransomware wouldn’t be able to encrypt them.
List of closed processes, constant through versions:
- msftesql.exe
- sqlagent.exe
- sqlbrowser.exe
- sqlservr.exe
- sqlwriter.exe
- oracle.exe
- ocssd.exe
- dbsnmp.exe
- synctime.exe
- mydesktopqos.exe
- agntsvc.exeisqlplussvc.exe
- xfssvccon.exe
- mydesktopservice.exe
- ocautoupds.exe
- agntsvc.exeagntsvc.exe
- agntsvc.exeencsvc.exe
- firefoxconfig.exe
- tbirdconfig.exe
- ocomm.exe
- mysqld.exe
- mysqld-nt.exe
- mysqld-opt.exe
- dbeng50.exe
- sqbcoreservice.exe
- excel.exe
- infopath.exe
- msaccess.exe
- mspub.exe
- onenote.exe
- outlook.exe
- powerpnt.exe
- steam.exe
- sqlservr.exe
- thebat.exe
- thebat64.exe
- thunderbird.exe
- visio.exe
- winword.exe
- wordpad.exe
Autorun
In v2 and v3, Gandcrab adds itself to autorun via a registry key.
Key Generation
A private and public key is generated.
Keyboard Layout
The sample queries the keyboard layout, but only stores if it is Russian or not.
Windows Product Name
Queries the Windows product name.
Processor Architecture:
Queries processor architecture.
Collects Running Antivirus Processes:
Compares running processes with a hardcoded list of antivirus process names.
List of detected antivirus processes, constant through all versions:
- AVP.EXE
- ekrn.exe
- avgnt.exe
- ashDisp.exe
- NortonAntiBot.exe
- Mcshield.exe
- avengine.exe
- cmdagent.exe
- smc.exe
- persfw.exe
- pccpfw.exe
- fsguiexe.exe
- cfp.exe
- msmpeng.exe
Iterate Through all Drives
The malware iterates through all letters, to check which drives exist.
If the drive exists, it queries and stores free and used disk space.
IP Address
The malware uses whatismyipaddress.com to query the machine’s IP before v4.
C&C Check-ins
Before v4 the samples have their C&C server names hardcoded, and use the .bit TLD. Since .bit addresses cannot be resolved by most DNS servers, Gandcrab uses nslookup to resolve the IP addresses. The hardcoded C&C servers and DNS names change from version-to-version.
In v4.0 there is no C&C communication at all, and in v4.1 the URLs are generated by the malware, instead of being completely hardcoded.
The data collected in the previous steps is encrypted with a hardcoded key, and then POST-ed to the C&C server. The sent data also contains the internal version of the ransomware.
The server responds, and encryption starts. After the encryption the sample does another check-in to notify the C&C about the successful encryption.
Encryption
A new thread iterates the drive using FindFirstFile – FindNextFile and encrypts the files which have the right extension.
Shadow Copy Removal
After encryption, the sample removes shadow copies, using wmic on Vista and later, and vssadmin on XP and earlier.
Wallpaper
Wallpaper changing was a new feature in v3, which was later removed in v4.
The wallpaper is not hardcoded inside the sample, it’s drawn at runtime using the DrawText function.
The wallpaper file is dropped in the temp folder, and the wallpaper is then changed with SystemParametersInfo.
Reboot
Finally, the sample sets a reboot in 60 seconds and opens the download page for the Tor browser.
The reboot and browser opening is removed from Gandcrab v4. Since v4, the malware instead removes itself after it’s done.
Conclusion
Although GandCrab is not a sophisticated piece of malware, it is used in widespread and frequent campaigns via different distribution methods. The family reacts quickly to changes like the decryptor for the v1 version, and adds new features often, making it one of the most prevalent malware families in 2018.
Samples
Gandcrab v1.0
January Malware Analysis recap blog
Gandcrab sample: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d
Unpacked: 0c0def0788b5f946bb2d1a83d883d474550353c98eaffb4456d651cb4bcc3bd9
JS dropping v1.2.0
VMRay Analyzer Report
Dropper: b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc
Dropped Gandcrab sample: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9
Unpacked DLL: ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072
DOC dropping v2.3.1
VMRay Analyzer Report
Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
Dropped Gandcrab sample: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
Unpacked DLL: f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01
JS dropping v3.0.0
VMRay Analyzer Report
Dropper: e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c
Dropped Gandcrab sample: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8
Unpacked DLL: 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71
Grandsoft EK dropping v3.0.0
VMRay Analyzer Report
Exploit: a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94
Dropped Gandcrab sample: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff
Injected DLL: 469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181
RIG EK dropping v3.0.1
VMRay Analyzer Report
Exploit (swf): ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc
Downloader (js): 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725
Dropped Gandcrab sample: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94
Unpacked DLL: 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e
Regular Gandcrab v3.0.1 payload
VMRay Analyzer Report
Gandcrab sample: 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559
Unpacked DLL: e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1
Gandcrab v3.0.1 payload with missing features
VMRay Analyzer Report
Gandcrab sample: 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363
Unpacked DLL: 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133
Encrypted doc dropping Gandcrab v3.0.1
VMRay Analyzer Report
E-mail: b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b
Dropper (password 123123): be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f
Gandcrab sample: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
Unpacked DLL: 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770
Gandcrab v4.0
VMRay Analyzer Report
Gandcrab sample: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23
Unpacked: 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d
Gandcrab v4.1
VMRay Analyzer Report
First public samples (unpacked):
8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1
e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a
6987fd73457ac0b5c245886532b1bdf5d58cb43890e04b706ebba44727403311
Later v4.1 Sample
Packed: 06ee45a770fa1a88b62d28059c2c44310f7ff56edbdaf35a0b9c44f2a4e57536
Unpacked: f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2
