Javascript Dropper #2 - Gandcrab Analysis

Severity	Category	Operation	Classification
5/5	Anti Analysis	Tries to detect virtual machine	-
Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0"). ... VTI Actions Go to Function Call
5/5	File System	Modifies application directory	-
Modifies "c:\program files\crab-decrypt.txt". ... VTI Actions Go to Function Call
Modifies "c:\program files (x86)\crab-decrypt.txt". ... VTI Actions Go to Function Call
5/5	OS	Modifies certificate store	-
Adds a certificate to the local "crab-decrypt.txt" by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" crab-decrypt.txt list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" revocation list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate trust list by file. ... VTI Actions Go to Function Call
5/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to File Details Go to Function Call
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
4/5	Persistence	Installs system startup script or application	-
Adds ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\nuatrx.exe"" to Windows startup via registry. ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\ciihmn~1\appdata\local\temp\busmeat.exe" is a known malicious file. ... VTI Actions Go to File Details Go to Function Call
4/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\ciihmn~1\appdata\local\temp\busmeat.exe". ... VTI Actions Go to File Details Go to Function Call
2/5	Network	Performs DNS request	-
Resolves host name "ns1.wowservers.ru". ... VTI Actions Go to Function Call
2/5	Network	Checks external IP address	-
Checks external IP by asking IP info service at "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
2/5	Network	Associated with known malicious/suspicious URLs	-
URL "http://zet.ge/wp/wp-admin/images/5555.exe" is known as malicious URL. ... VTI Actions Go to Function Call
2/5	Network	Downloads data	Downloader
URL "http://lxgcnmokgusvqx.com/". ... VTI Actions Go to Function Call
URL "http://zet.ge/wp/wp-admin/images/5555.exe". ... VTI Actions Go to Function Call
URL "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
URL "85.105.167.110/aysseaf?s=oast". ... VTI Actions Go to Function Call
URL "78.31.63.30/oaza?erb=scaugh&eigh=ai". ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
URL "85.105.167.110/aysseaf?s=oast". ... VTI Actions Go to Function Call
URL "78.31.63.30/oaza?erb=scaugh&eigh=ai". ... VTI Actions Go to Function Call
URL "http://lxgcnmokgusvqx.com/". ... VTI Actions Go to Function Call
URL "http://zet.ge/wp/wp-admin/images/5555.exe". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\ciihmn~1\appdata\local\temp\busmeat.exe". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\nuatrx.exe". ... VTI Actions Go to File Details Go to Function Call
1/5	Process	Creates system object	-
Creates mutex with name "Global\pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def". ... VTI Actions Go to Function Call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information

Notifications (1/1)

Before

After