Version 1.0
SHA1: b185665ded0fab4bb2588ec80f71333533d8e140
Version 1.1
SHA1: 2245bd90b753b7fd29b7218a0ef50435c64f8767
An encryption Trojan for the Microsoft Windows operating systems. Its self-designation is “GandCrab!”. A message with racketeers’ demands and a list of extensions of encoded files are stored in the Trojan’s body encrypted with the use of the XOR algorithm.
The malicious program can collect information on availability of the following running processes of anti-viruses:
AVP.EXE
ekrn.exe
avgnt.exe
ashDisp.exe
NortonAntiBot.exe
Mcshield.exe
avengine.exe
cmdagent.exe
smc.exe
persfw.exe
pccpfw.exe
fsguiexe.exe
cfp.exe
msmpeng.exe
In order to prevent the repeated launch, the Trojan obtains a name of a work group in the local network, serial number of the hard drive volume and the processor model name. On the basis of these data, it forms a mutex name. If there is already a mutex with the same name, the Trojan shuts down. Then it kills the following processes:
sqlservr.exe
msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
mydesktopqos.exe
agntsvc.exeisqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
After the processes are shut down, the Trojan forms a message with cybercriminals’ demands and generates the RSA-2048 key pair. Then it sends a call request to its command and control server, zeroes a private key in the memory and starts the process of its installation to the system.
If the Trojan is not launched from the folder %APPDATA%, it creates its own copy with an arbitrary name in the folder %APPDATA%\Microsoft\. Path to this file is saved in the thread of the system registry [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] with an arbitrary name of the parameter.
The Trojan encrypts the contents of the fixed, removable and network disks. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends to the server the data on the amount of encrypted files and the encryption time. The following folders are not encrypted:
ProgramData
Program Files
Tor Browser
Ransomware
All Users
Local Settings
%PROGRAM_FILESX86%
%PROGRAM_FILES_COMMON%
%WINDOWS%
%LOCAL_APPDATA%
The data required for encryption are generated for each file, then they are encrypted with the public RSA key. The encrypted files have the GDCB extension.
The Trojan uses the command and control server, the domain name of which is not resolved with standard methods. To obtain an IP address of the command and control server, the encoder executes the command nslookup and obtains the address from its output. If an attempt to obtain the IP address is unsuccessful, the encryption is not performed.
To send the call request to the command and control server, the Trojan forms a string that looks the following way:
action=call&ip=123.123.123.123&pc_user=root&pc_name=PC&pc_group=WORKGROUP&pc_keyb=0&os_major=Microsoft
Windows
XP&os_bit=x86&ransom_id=1111111111111111&hdd=C:FIXED_...&pub_key=...&priv_key=...&version=1.0
where:
- action — the request type;
- ip — an external address of an infected computer (if the Trojan is unsuccessful when obtaining it, the field stays blank);
- pc_user — user name;
- pc_name — computer name;
- pc_group — work group name;
- pc_keyb — keyboard layout code;
- os_major — Windows version (it is extracted from the key of the system registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName);
- os_bit — Windows bitness;
- ransom_id — infection identifier;
- hdd — information about disks;
- pub_key — a public key encoded in base64;
- priv_key — a private key encoded in base64;
- version — the internal Trojan version.
The obtained string is encrypted using the RC4 algorithm. Then the result is additionally encoded using base64. The obtained data are sent to the command and control server with the POST request, which looks like %IP_ADDR%/curl.php?token=1234 (the value token is extracted from the packed Trojan’s body). As a response, the malicious program receives the data encoded with the use of base64 and encrypted with the same RC4 key. They could contain a command for self-removal and a list of extensions for encryption (also encoded using base64).
At present, decryption of files encrypted with this Trojan is impossible.
