Gandcrab Ransomware v4.0

VTI SCORE: 100/100

Target:

win10_64 | exe

Classification:

Riskware, Ransomware

ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23 (SHA256)

1.pdf.exe

Windows Exe (x86-32)

Created at 2018-07-02 20:32:00

Notifications (1/1)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
4/5	Masquerade	Uses a double file extension	Riskware
File "c:\users\ciihmnxmn6ps\desktop\1.pdf.exe" has a double file extension. ... VTI Actions Go to Function Call
File "\??\C:\Users\CIiHmnxMn6Ps\Desktop\1.pdf.exe" has a double file extension. ... VTI Actions Go to Function Call
3/5	OS	Modifies certificate store	-
Adds a certificate to the local "krab-decrypt.txt" by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" krab-decrypt.txt list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" revocation list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate trust list by file. ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to browser cookies	-
Reads Cookies for "Mozilla Firefox". ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to saved browser credentials	-
Reads the master key for "Mozilla Firefox". ... VTI Actions Go to Function Call
2/5	Anti Analysis	Tries to detect virtual machine	-
Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0"). ... VTI Actions Go to Function Call
2/5	Browser	Reads data related to browsing history	-
Reads browsing history and related data, such as bookmarks, for "Mozilla Firefox". ... VTI Actions Go to Function Call
1/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Function Call
1/5	Hide Tracks	Writes an unually large amount of data to the registry	-
Hides 1688 byte in "HKEY_CURRENT_USER\SOFTWARE\keys_data\data\private". ... VTI Actions Go to Function Call
1/5	File System	Modifies application directory	-
Modifies "c:\program files\krab-decrypt.txt". ... VTI Actions Go to Function Call
Modifies "c:\program files (x86)\krab-decrypt.txt". ... VTI Actions Go to Function Call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\system32\wbem\wmic.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "cmd.exe" starts with hidden window. ... VTI Actions Go to Function Call
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to File Details Go to Function Call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After