win.gandcrab (Back to overview)

Gandcrab

aka: GrandCrab

Actor(s): Pinchy Spider

URLhaus                                

There is no description at this point.

References
https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/
https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/
https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/
http://asec.ahnlab.com/1145
https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/
https://isc.sans.edu/diary/23417
http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/
https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html
http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf
https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom
Yara Rules
[TLP:WHITE] win_gandcrab_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_gandcrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 6a01 33db 894df8 53 }
            // n = 4, score = 2000
            //   6a01                 | push                1
            //   33db                 | xor                 ebx, ebx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   53                   | push                ebx

        $sequence_1 = { 3345fc 89818c000000 8bc8 894508 }
            // n = 4, score = 2000
            //   3345fc               | xor                 eax, dword ptr [ebp - 4]
            //   89818c000000         | mov                 dword ptr [ecx + 0x8c], eax
            //   8bc8                 | mov                 ecx, eax
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_2 = { 3bf0 72e2 8b5c2414 53 }
            // n = 4, score = 2000
            //   3bf0                 | cmp                 esi, eax
            //   72e2                 | jb                  0x356510
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   53                   | push                ebx

        $sequence_3 = { 46 83fe64 72f3 6800800000 }
            // n = 4, score = 2000
            //   46                   | inc                 esi
            //   83fe64               | cmp                 esi, 0x64
            //   72f3                 | jb                  0x3547d0
            //   6800800000           | push                0x8000

        $sequence_4 = { 8955fc 663913 7445 0fb70f }
            // n = 4, score = 2000
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   663913               | cmp                 word ptr [ebx], dx
            //   7445                 | je                  0x3577ba
            //   0fb70f               | movzx               ecx, word ptr [edi]

        $sequence_5 = { 8b7df8 6800800000 6a00 ff75f0 }
            // n = 4, score = 2000
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_6 = { c74424382e006500 c744243c78006500 66894c2440 c744244473006800 }
            // n = 4, score = 2000
            //   c74424382e006500     | mov                 dword ptr [esp + 0x38], 0x65002e
            //   c744243c78006500     | mov                 dword ptr [esp + 0x3c], 0x650078
            //   66894c2440           | mov                 word ptr [esp + 0x40], cx
            //   c744244473006800     | mov                 dword ptr [esp + 0x44], 0x680073

        $sequence_7 = { 8b5dd0 e947020000 8d8580feffff 50 }
            // n = 4, score = 2000
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   e947020000           | jmp                 0x35443c
            //   8d8580feffff         | lea                 eax, dword ptr [ebp - 0x180]
            //   50                   | push                eax

        $sequence_8 = { 33ff 83f9ff 750b 68e8030000 }
            // n = 4, score = 2000
            //   33ff                 | xor                 edi, edi
            //   83f9ff               | cmp                 ecx, 0xff
            //   750b                 | jne                 0x355d3c
            //   68e8030000           | push                0x3e8

        $sequence_9 = { 8b44241c 85c0 740a 3b4c240c }
            // n = 4, score = 2000
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0x356714
            //   3b4c240c             | cmp                 ecx, dword ptr [esp + 0xc]

    condition:
        7 of them
}
Download all Yara Rules