Win32/Filecoder.GandCrab [Threat Name] go to Threat

Win32/Filecoder.GandCrab.A [Threat Variant Name]

Category	trojan
Size	70656 B
Aliases	Trojan.Win32.Jorik.sbs (Kaspersky)
	Trojan.Encoder.24386 (Dr.Web)

Short description

Win32/Filecoder.GandCrab.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

%appdata%\Microsoft\%variable%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- %variable% = %appdata%\Microsoft\%variable%.exe

A string with variable content is used instead of %variable% .

Payload information

Win32/Filecoder.GandCrab.A is a trojan that encrypts files on fixed, removable and network drives.

The trojan searches for files with the following file extensions:

.1cd
.3dm
.3ds
.3fr
.3g2
.3gp
.3pr
.7z
.7zip
.aac
.ab4
.abd
.acc
.accdb
.accde
.accdr
.accdt
.ach
.acr
.act
.adb
.adp
.ads
.agdl
.ai
.aiff
.ait
.al
.aoi
.apj
.apk
.arw
.ascx
.asf
.asm
.asp
.aspx
.asset
.asx
.atb
.avi
.awg
.back
.backup
.backupdb
.bak
.bank
.bay
.bdb
.bgt
.bik
.bin
.bkp
.blend
.bmp
.bpw
.bsa
.c
.cash
.cdb
.cdf
.cdr
.cdr3
.cdr4
.cdr5
.cdr6
.cdrw
.cdx
.ce1
.ce2
.cer
.cfg
.cfn
.cgm
.cib
.class
.cls
.cmt
.config
.contact
.cpi
.cpp
.cr2
.craw
.crt
.crw
.cry
.cs
.csh
.csl
.css
.csv
.d3dbsp
.dac
.das
.dat
.db
.db_journal
.db3
.dbf
.dbx
.dc2
.dcr
.dcs
.ddd
.ddoc
.ddrw
.dds
.def
.der
.des
.design
.dgc
.dgn
.dit
.djvu
.dng
.doc
.docm
.docx
.dot
.dotm
.dotx
.drf
.drw
.dtd
.dwg
.dxb
.dxf
.dxg
.edb
.eml
.eps
.erbsql
.erf
.exf
.fdb
.ffd
.fff
.fh
.fhd
.fla
.flac
.flb
.flf
.flv
.flvv
.forge
.fpx
.fxg
.gbr
.gho
.gif
.gray
.grey
.groups
.gry
.h
.hbk
.hdd
.hpp
.html
.ibank
.ibd
.ibz
.idx
.iif
.iiq
.incpas
.indd
.info
.info_
.ini
.iwi
.jar
.java
.jnt
.jpe
.jpeg
.jpg
.js
.json
.k2p
.kc2
.kdbx
.kdc
.key
.kpdx
.kwm
.laccdb
.lbf
.lck
.ldf
.lit
.litemod
.litesql
.lock
.log
.ltx
.lua
.m
.m2ts
.m3u
.m4a
.m4p
.m4v
.ma
.mab
.mapimail
.max
.mbx
.md
.mdb
.mdc
.mdf
.mef
.mfw
.mid
.mkv
.mlb
.mmw
.mny
.money
.moneywell
.mos
.mov
.mp3
.mp4
.mpeg
.mpg
.mrw
.msf
.msg
.myd
.nd
.ndd
.ndf
.nef
.nk2
.nop
.nrw
.ns2
.ns3
.ns4
.nsd
.nsf
.nsg
.nsh
.nvram
.nwb
.nx2
.nxl
.nyf
.oab
.obj
.odb
.odc
.odf
.odg
.odm
.odp
.ods
.odt
.ogg
.oil
.omg
.one
.orf
.ost
.otg
.oth
.otp
.ots
.ott
.p12
.p7b
.p7c
.pab
.pages
.pas
.pat
.pbf
.pcd
.pct
.pdb
.pdd
.pdf
.pef
.pem
.pfx
.php
.pif
.pl
.plc
.plus_muhd
.pm
.pm!
.pmi
.pmj
.pml
.pmm
.pmo
.pmr
.pnc
.pnd
.png
.pnx
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx,.ppt
.pptm
.pptx
.prf
.private
.ps
.psafe3
.psd
.pspimage
.pst
.ptx
.pub
.pwm
.py
.qba
.qbb
.qbm
.qbr
.qbw
.qbx
.qby
.qcow
.qcow2
.qed
.qtb
.r3d
.raf
.rar
.rat
.raw
.rdb
.re4
.rm
.rtf
.rvt
.rw2
.rwl
.rwz
.s3db
.safe
.sas7bdat
.sav
.save
.say
.sd0
.sda
.sdb
.sdf
.sh
.sldm
.sldx
.slm
.sql
.sqlite
.sqlite3
.sqlitedb
.sqlite-shm
.sqlite-wal
.sr2
.srb
.srf
.srs
.srt
.srw
.st4
.st5
.st6
.st7
.st8
.stc
.std
.sti
.stl
.stm
.stw
.stx
.svg
.swf
.sxc
.sxd
.sxg
.sxi
.sxm
.sxw
.tax
.tbb
.tbk
.tbn
.tex
.tga
.thm
.tif
.tiff
.tlg
.tlx
.txt
.upk
.usr
.vbox
.vdi
.vhd
.vhdx
.vmdk
.vmsd
.vmx
.vmxf
.vob
.vpd
.vsd
.wab
.wad
.wallet
.war
.wav
.wb2
.wma
.wmf
.wmv
.wpd
.wps
.x11
.x3f
.xis
.xla
.xlam
.xlk
.xlm
.xlr
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.xml
.xps
.xxx
.ycbcra
.yuv
.zip

It avoids files with the following filenames:

desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
GDCB-DECRYPT.txt

It avoids files which contain any of the following strings in their path:

\ProgramData\
\Tor Browser\
Ransomware
\All Users\
\Local Settings\

The trojan encrypts the file content.

The RSA, AES encryption algorithm is used.

The extension of the encrypted files is changed to:

%originalfilename%.GDCB

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

When searching the drives, the trojan creates the following file in every folder visited:

GDCB-DECRYPT.txt

It contains the following text:

---= GANDCRAB =--- Attention! All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in tor browser: http://%redacted%.onion/%redacted% 5. Follow the instructions on this page If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser: 1. http://%redacted%.onion.top/%redacted% 2. http://%redacted%.onion.casa/%redacted% 3. http://%redacted%.onion.guide/%redacted% 4. http://%redacted%.onion.rip/%redacted% 5. http://%redacted%.onion.plus/%redacted% On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. DANGEROUS! Do not try to modify files or use your own private key - this will result in the loss of your data forever!

Information stealing

Win32/Filecoder.GandCrab.A is a trojan that steals sensitive information.

The trojan collects the following information:

computer name
computer IP address
list of disk devices and their type
operating system version
user name
volume serial number

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan can terminate the following processes:

agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
agntsvc.exeisqlplussvc.exe
dbeng50.exe
dbsnmp.exe
excel.exe
firefoxconfig.exe
infopath.exe
msaccess.exe
mspub.exe
mydesktopqos.exe
mydesktopservice.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
oracle.exe
outlook.exe
powerpnt.exe
sqbcoreservice.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlwriter.exe
steam.exe
synctime.exe
tbirdconfig.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe
xfssvccon.exe

The trojan executes the following command:

%system%\wbem\wmic.exe shadowcopy delete

The trojan may execute the following commands:

%windir%\system32\wbem\wmic.process call create "cmd /c start %malwarefilename%"

Trojan detects the presence of the following applications:

AVP.EXE
ashDisp.exe
avengine.exe
avgnt.exe
cfp.exe
cmdagent.exe
ekrn.exe
fsguiexe.exe
Mcshield.exe
msmpeng.exe
NortonAntiBot.exe
pccpfw.exe
persfw.exe
smc.exe

The trojan can open the following URLs:

%paymentinformationurl%