GandCrab Ransomware | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 24 |
| VTI Rule Type | Default (PE, ...) |
|
Anti Analysis |
|
|
|
Try to detect virtual machine
|
|
|
Readout system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
|
||
|
|
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
|
|
Browser |
|
|
|
Read data related to browser cookies
|
|
|
Read Cookies for "Mozilla Firefox".
|
||
|
|
Read data related to saved browser credentials
|
|
|
Read the master key for "Mozilla Firefox".
|
||
|
|
Read data related to browsing history
|
|
|
Read browsing history and related data, such as bookmarks, for "Mozilla Firefox".
|
||
|
|
OS |
|
|
|
Modify certificate store
|
|
|
Add a certificate to the local "gdcb-decrypt.txt" by file.
|
||
|
Add a certificate to the local "my" gdcb-decrypt.txt list by file.
|
||
|
Add a certificate to the local "my" certificate list by file.
|
||
|
Add a certificate to the local "my" revocation list by file.
|
||
|
Add a certificate to the local "my" certificate trust list by file.
|
||
|
|
File System |
|
|
|
Encrypt content of user files
|
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
||
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Network |
|
|
|
Reputation URL lookup
|
|
|
URL "78.155.206.6/curl.php?token=1019" is known as suspicious URL.
|
||
|
|
Perform DNS request
|
|
|
Resolve host name "a.dnspod.com".
|
||
|
|
Check external IP address
|
|
|
Check external IP by asking IP info service at "ipv4bot.whatismyipaddress.com/".
|
||
|
|
Download data
|
|
|
URL "ipv4bot.whatismyipaddress.com/".
|
||
|
URL "78.155.206.6/curl.php?token=1019".
|
||
|
|
Connect to HTTP server
|
|
|
URL "ipv4bot.whatismyipaddress.com/".
|
||
|
URL "78.155.206.6/curl.php?token=1019".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\tubcvd.exe"" to windows startup via registry.
|
||
|
Add "c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\startup\gdcb-decrypt.txt" to windows startup folder.
|
||
|
|
Process |
|
|
|
Create system object
|
|
|
Create mutex with name "Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def".
|
||
|
Create mutex with name "firefox browser".
|
||
|
|
Create process with hidden window
|
|
|
The process "nslookup gandcrab.bit a.dnspod.com" starts with hidden window.
|
||
|
The process "C:\Windows\system32\wbem\wmic" starts with hidden window.
|
||
|
The process "C:\Windows\system32\wbem\wmic.exe" starts with hidden window.
|
||
| - | Device | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Injection | |
| - | Kernel | |
| - | Masquerade | |
| - | PE | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
