Javascript Dropper #1 - Gandcrab Analysis

Severity	Category	Operation	Classification
5/5	Anti Analysis	Tries to detect virtual machine	-
Reads out system information, commonly used to detect VMs via registry. (Value "Identifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0"). ... VTI Actions Go to Function Call
5/5	OS	Modifies certificate store	-
Adds a certificate to the local "crab-decrypt.txt" by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" crab-decrypt.txt list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" revocation list by file. ... VTI Actions Go to Function Call
Adds a certificate to the local "my" certificate trust list by file. ... VTI Actions Go to Function Call
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
4/5	Persistence	Installs system startup script or application	-
Adds ""C:\Users\Nd9E1FYi\AppData\RoamingqTP35.exe"" to Windows startup via registry. ... VTI Actions Go to Function Call
4/5	Network	Associated with known malicious/suspicious URLs	-
URL "92.63.197.38/letsgo.exe?LbPUer" is known as malicious URL. ... VTI Actions Go to Function Call
URL "77.244.219.151/seyst" is known as malicious URL. ... VTI Actions Go to Function Call
URL "77.244.219.151/eighge" is known as malicious URL. ... VTI Actions Go to Function Call
URL "77.244.219.151/store?steepl=aiplau&sauf=iesay" is known as malicious URL. ... VTI Actions Go to Function Call
URL "77.244.219.151/eighph?soref=eezaui" is known as malicious URL. ... VTI Actions Go to Function Call
4/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\nd9e1fyi\appdata\roamingqtp35.exe". ... VTI Actions Go to File Details Go to Function Call
2/5	Network	Performs DNS request	-
Resolves host name "ns1.virmach.ru". ... VTI Actions Go to Function Call
2/5	Network	Checks external IP address	-
Checks external IP by asking IP info service at "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
2/5	Network	Downloads data	Downloader
URL "92.63.197.38/letsgo.exe?LbPUer". ... VTI Actions Go to Function Call
URL "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
URL "77.244.219.151/seyst". ... VTI Actions Go to Function Call
URL "77.244.219.151/eighge". ... VTI Actions Go to Function Call
URL "77.244.219.151/store?steepl=aiplau&sauf=iesay". ... VTI Actions Go to Function Call
URL "77.244.219.151/eighph?soref=eezaui". ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "ipv4bot.whatismyipaddress.com/". ... VTI Actions Go to Function Call
URL "77.244.219.151/eighge". ... VTI Actions Go to Function Call
URL "77.244.219.151/store?steepl=aiplau&sauf=iesay". ... VTI Actions Go to Function Call
URL "92.63.197.38/letsgo.exe?LbPUer". ... VTI Actions Go to Function Call
URL "77.244.219.151/eighph?soref=eezaui". ... VTI Actions Go to Function Call
URL "77.244.219.151/seyst". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\nd9e1fyi\appdata\roamingqtp35.exe". ... VTI Actions Go to File Details Go to Function Call
1/5	Process	Creates system object	-
Creates mutex with name "Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000". ... VTI Actions Go to Function Call
Creates mutex with name "Global\pc_group=WORKGROUP&ransom_id=58de2295a283c81". ... VTI Actions Go to Function Call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information

Notifications (2/3)

Before

After