Blog

The Evolution of Gandcrab Ransomware

Like legitimate commercial software, commercial malware also needs a viable business model. For ransomware, the most popular business model is now Ransomware-as-a-Service (RaaS). RaaS focuses on selling ransomware as an easy-to-use service, opening up a broader market of non-technical attackers. Many ransomware developers now focus on developing and maintaining a service which allows their affiliates (customers) to start attacks with just a few clicks.

In the past few months, the RaaS-space was dominated by a relatively new malware family: Gandcrab.

Gandcrab’s Distribution Methods

We’ve seen Gandcrab being distributed using two primary methods:

  • Javascript and Doc downloaders attached to e-mails
  • Drive-by download using exploit kits

Javascript Droppers

Javascript Dropper #1

View the VMRay Analyzer Report

A common distribution method is zipped Javascript droppers attached to emails.
Javascript Dropper - Gandcrab Analysis
After deobfuscating itself the javascript executes a Powershell one-liner to download and execute a file, Gandcrab v2 (internal version 1.2.0).
Deobfuscated Javascript Dropper - Gandcrab Analysis
Dropper: b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc
Dropped Gandcrab v1.2.0: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9
Unpacked DLL: ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072

Javascript Dropper #2

View the VMRay Analyzer Report

Javascript Dropper #2 doesn’t use PowerShell. Instead, it downloads the file and executes it directly. The payload is Gandcrab v3 (internal version 3.3.0).
PowerShell Javascript Dropper - Gandcrab Analysis
Dropper: e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c
Dropped Gandcrab v3.0.0: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8
Unpacked DLL: 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71

Doc Droppers

Doc Dropper

View the VMRay Analyzer Report

Doc Droppers use the same logic as the Javascript Droppers, but implemented in VBA. This sample contains an 800 line VBA script like this snippet:
Doc Dropper - Gandcrab Analysis
The end result is another PowerShell one-liner, which downloads an EXE to a temporary directory, and executes it.
PowerShell Doc Dropper - Gandcrab Analysis
Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
Dropped Gandcrab v2.3.1: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
Unpacked DLL: f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01

Encrypted Doc Dropper
View the VMRay Analyzer Report
A more recent spam campaign used encrypted doc files, with the emails containing the password to open the doc: 123123. This dropper executed the sample (Gandcrab v3.0.1) directly with VBA, without Powershell.

E-mail: b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b
Dropper: be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f
Dropped Gandcrab v3.0.1: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
Unpacked DLL: 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770

Exploit Kits

Attackers also used multiple exploit kits: Grandsoft, RIG and Magnitude.

Using a browser exploit kit is a tradeoff from the attacker’s point-of-view. If the victim has an unpatched version of browser or flash player, they only need to click a link to get infected. It is much easier for the attacker to get someone to click a link than to get them to download and execute a file — but the attack won’t work if the potential victim has even roughly up-to-date software.

RIG EK

View the VMRay Analyzer Report

RIG is a popular exploit kit, which has recently been updated with a newer Flash exploit (CVE-2018-4878). It used the new exploit for dropping Gandcrab, observed on April 9 by @nao_sec.

As visible on the sandbox report and the packet capture, this attack vector exploited Adobe Flash Player, downloaded and executed Gandcrab v3.0.1.

Process Graph CVE-2018-4878 Drops Gandcrab - Gandcrab Analysis

RIG Exploit Kit - Gandcrab Analysis

RIG used the Flash exploit for CVE-2018-4878. This happened before a new exploit for an Internet Explorer vulnerability (CVE-2018-8174) was implemented in RIG.

CVE-2018-4878 is also a relatively new vulnerability – on February 1st Adobe released a bulletin, informing users that a Flash player zero-day is being used in the wild, and followed up with a patch on February 6th. The exploit uses a use-after-free bug in Flash Player’s DRM implementation. The downloaded SWF file is partly obfuscated, but it contains some debug symbols, making some key parts of the exploit easy to spot, like the class UAFGenerator.

Obfuscated SWF File - Gandcrab Analysis

The payload of the exploit is visible in the sandbox report – cmd.exe is called to drop and execute a javascript downloader.

cmd.exe Called to Execute JS Downloader - Gandcrab Analysis

Even after a little bit of deobfuscation, the downloader activity becomes clear:

Downloader Activity - Gandcrab Analysis

The downloaded file is dropped in the %TEMP% directory with the name b**.exe, where ** is a number in the [0, 56] range. At the end the dropper executes the downloaded Gandcrab v3.0.1 payload.

Command Line Gandcrab 3.0 Payload - Gandcrab Analysis

Exploit (swf): ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc
Downloader (js): 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725
Dropped GandCrab v3.0.1: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94
Unpacked DLL: 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e

Grandsoft EK

View the VMRay Analyzer Report

Grandsoft is an exploit kit which is used far less frequently, it made a comeback with dropping GandCrab, spotted on January 30 by @kafeine.

The attack is visible in the VMRay Analyzer Report report:

Gandcrab Downloader Process Graph Gandcrab Analysis
For an old Internet Explorer version, the exploit kit served CVE-2016-0189, an exploit of a memory corruption vulnerability in Internet Explorer’s vbscript.dll. This is an old vulnerability, patched in May 2016, which allows running arbitrary vbscript code on unpatched systems.

The VBS exploit code is obfuscated, but still readable. The downloader is in the fire() function. It first downloads the file (See Figure below):

Obfuscated VBS Exploit Code - Gandcrab Analysis

It then executes the downloaded file, depending on its extension:

Full Control Flow Gandcrab 2.1 - Gandcrab Analysis
The full control flow shows the exploited Internet Explorer process downloaded an exe file (Gandcrab v2.1, internal version 3.0.0), and executed it with cmd.exe. The Process Graph shows the Gandcrab packer injected its DLL payload into svchost.exe.

Exploit: a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94
Dropped file: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff
Injected dll: 469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181

Packer

Gandcrab uses its own packer, which has only changed a little through all the versions.

Sandbox Evasion: API hammering

Even the first versions of Gandcrab used API hammering, a very simple sandbox evasion technique. The technique calls an API function in a loop, hoping the analysis will time out before reaching any malicious behavior. This can be effective against sandboxes which handle the loop slowly – the slower a sandbox is, the more dramatic are the effects of API hammering.

Gandcrab’s packer often mixes the technique with one of the two following techniques:

  1. Doing something in the loop that’s necessary for the execution to continue. This ensures that the loop can’t simply be detected as unnecessary and skipped automatically.
  2. Loop cycles where no APIs are called.

Each version of the Gandcrab packer uses different API functions, and iteration numbers, but the principle is the same.

In this v1.0 sample the loop is repeated 200 million times, but only one of its iterations is useful:

Gandcrab Packer 1.0 Loop - Gandcrab Analysis
Sample SHA256: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d

In this v3.0.0 sample the loop gets the temp path and allocates memory, but takes 5 million loops to do it:

Gandcrab Packer 3.0 Loop - Gandcrab Analysis
Sample SHA256: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8

Reflective Loader

Gandcrab v2’s (internal version v.1.0.0r), main functionality is moved to a DLL. The DLL’s name is “encryption.dll”, and only exports the entry point, and a function named ReflectiveLoader().
ReflectiveLoader() - Gandcrab Analysis

The packer calls the ReflectiveLoader function, loads the DLL and starts the malicious activity which is in DLLMain.

The DLL is loaded in the same process for most samples, but with Gandcrab 3.0.0 it was observed injecting the DLL into a newly spawned svchost process.

Sample SHA256: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff

String Obfuscation Method

The packer and the payload use the same method to obfuscate strings used as API parameters for many calls: simply moving them to the stack in 4-byte blocks before the calling a function which uses them as a parameter. @hasherezade made a deobfuscator IDA plugin for this technique.

Function resolution within the packer.Gandcrab 3.0 String Obfuscation - Gandcrab Analysis

Obfuscated string in the payload.Deobfuscated String Gandcrab 3.0 - Gandcrab Analysis

Easter Eggs for Researchers

The packer and payload also contain messages to researchers who made a public impact on Gandcrab, or ransomware in general.

If a file exists in the C:\MalwarebytesLabs directory , a message to Marcelo Rivero pops up.

Fabian Wosar’s name is used as a placeholder string multiple times per sample.
Fabian Wosar Placeholder - Gandcrab Analysis

Communication with the C&C is encrypted with a hardcoded key. Since the release of Gandcrab v2, this key is computed using the string “europol” – the name of the agency partly responsible for creating a decryptor for v1.
Europol String - Gandcrab Analysis

Gandcrab Payload History

Gandcrab v1

The GandCrab payload exhibits stereotypical ransomware behavior: it encrypts user files with a key unique to the victim, and drops ransom notes with instructions to pay the ransom in exchange for the key.

Gandcrab was first publicly discovered by security researcher David Montenegro in late January 2018. In one month the family had over 50,000 victims. Unusually, the ransom needed to be payed in the crypto-currency DASH, now they also accept bitcoin. We analyzed GandCrab v1 in our January Malware Analysis recap blog.

At the end of February, a decryptor was published for GandCrab v1 in a joint effort by the Romanian Police (IGPR), Bitdefender and Europol.

Gandcrab v2

On March 5th, just a week after the decryptor was released, a new Gandcrab version was spotted by @MalwareHunterTeam. The decryptor from the previous week doesn’t work with the newer version. It also uses a new extension (.CRAB), has different hardcoded domains, and moves the code to a DLL. It also looks for kernel-mode components of Antivirus software.

Internal Version and Ransom Note
Gandcrab’s ransom notes contain a version number, and the payload contains another, “internal” version number, which is sent over the network when connecting to the C&C. Most often these two version numbers don’t match (see example below where the ransom note indicates version 2.1).

Ransom Note v2.1 - Gandcrab Analysis
Sample SHA256: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f).

Internal version number reported to the C&C for the same sample is 2.3.2.

Internal Version Number - Gandcrab Analysis

Gandcrab v3

A Gandcrab sample with internal version 3.0.0 was spotted on Apr 23 by @nao_sec, later followed by v3.0.1 first published by @zsawei on May 9th. Version 3.0.0 added support for changing the wallpaper.

Gandcrab Wallpaper Change - Gandcrab Analysis

Discrepancies Between v3.0.0 Samples

It was observed that two samples with the same internal version number (3.0.0) had different capabilities: one of the samples injects its payload into a new svchost process while another one doesn’t start a new process, but can now change the wallpaper.

Gandcrab v3.0.1

View the VMRay Analyzer Report

Packed sample: 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559
Unpacked DLL: e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1

Usually the single difference between v3.0.0 payloads and v3.0.1 payloads is the user agent, and everything else is the same.

User Agent - Gandcrab Analysis

Old User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
The new User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Everything else is the same.
User Agent (2) - Gandcrab Analysis

Discrepancies Between v3.0.1 Samples

The sample discovered by @zsawei was very different — it was compiled without certain functions, which have been there in previous versions: wallpaper changing, autorun, search for kernel-mode antivirus.

Missing functions:
Missing Kernel Functions - Gandcrab Analysis

Packed sample: 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363
Unpacked DLL: 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133

Payload Control Flow

Most of Gandcrab’s activity is constant through the versions. The screenshots below show Gandcrab v3’s control flow:

Data collection and preparation

Gandcrab first collects data about the system and generates private and public keys.
Domain
Queries the domain the system belongs to.
Gandcrab v3 Queries to Domain - Gandcrab Analysis

Processor Name
Queries the processor name and type.
Gandcrab v3 Queries the Processor - Gandcrab Analysis

Mutex
Generates the ransom ID and creates a mutex.
Gandcrab v3 Generates Ransom ID - Gandcrab Analysis
Gandcrab v3 Creates Mutex- Gandcrab Analysis

Kernel-Mode AV
Since v2.0 the malware starts a thread to look for kernel-mode antivirus components.
Gandcrab v2 Looking for AV Components - Gandcrab Analysis
List of detected kernel-mode AV-components:

  • klif.sys (Kaspersky)
  • kl1.sys (Kaspersky)
  • fsdfw.sys (F-Secure)
  • srtsp.sys (Symantec)
  • srtsp64.sys (Symantec)
  • NavEx15.sys (Symantec)
  • NavEng.sys (Symantec)

Kernel-Mode AV - Gandcrab Analysis

Closing Processes
Samples contain a list of hardcoded process names, which are terminated before encryption starts. Otherwise the processes could have open handles to important files, and the ransomware wouldn’t be able to encrypt them.
Hardcoded Process Names - Gandcrab Analysis
List of closed processes, constant through versions:

  • msftesql.exe
  • sqlagent.exe
  • sqlbrowser.exe
  • sqlservr.exe
  • sqlwriter.exe
  • oracle.exe
  • ocssd.exe
  • dbsnmp.exe
  • synctime.exe
  • mydesktopqos.exe
  • agntsvc.exeisqlplussvc.exe
  • xfssvccon.exe
  • mydesktopservice.exe
  • ocautoupds.exe
  • agntsvc.exeagntsvc.exe
  • agntsvc.exeencsvc.exe
  • firefoxconfig.exe
  • tbirdconfig.exe
  • ocomm.exe
  • mysqld.exe
  • mysqld-nt.exe
  • mysqld-opt.exe
  • dbeng50.exe
  • sqbcoreservice.exe
  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • steam.exe
  • sqlservr.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe

Autorun
The sample adds itself to autorun via a registry key.Autorun via Registry Key- Gandcrab Analysis

Key Generation
A private and public key is generated.
Private-Public Key Generated

Keyboard Layout
The sample queries the keyboard layout, but only stores if it is Russian or not.
Queries Keyboard Layout

Windows Product Layout
Queries the Windows product name.
Queries Windows Product Name - Gandcrab Analysis

Processor Architecture:
Queries processor architecture.
Queries Processor Architecture - Gandcrab Analysis

Collects Running Antivirus Processes:
Compares running processes with a hardcoded list of antivirus process names.
Hardedcoded AV Process Names - Gandcrab Analysis

List of detected antivirus processes, constant through all versions:

  • AVP.EXE
  • ekrn.exe
  • avgnt.exe
  • ashDisp.exe
  • NortonAntiBot.exe
  • Mcshield.exe
  • avengine.exe
  • cmdagent.exe
  • smc.exe
  • persfw.exe
  • pccpfw.exe
  • fsguiexe.exe
  • cfp.exe
  • msmpeng.exe

Iterate Through all Drives
The malware iterates through all letters, to check which drives exist.
Gandcrab Iterates Through All Letters - Gandcrab Analysis

If the drive exists, it queries and stores free and used disk space.
Queries-Stores Free-Used Disk Space - Gandcrab Analysis

IP Address
The malware uses whatismyipaddress.com to query the machine’s IP.
whatismyipaddress.com - Gandcrab Analysis

C&C Check-ins
The samples have their C&C server names hardcoded, and use the .bit TLD. Since .bit addresses cannot be resolved by most DNS servers, Gandcrab uses nslookup to resolve the IP addresses. The hardcoded C&C servers and DNS names change from version-to-version.
C&C Values Hardcoded - Gandcrab Analysis

The data collected in the previous steps is encrypted with a hardcoded key, and then POST-ed to the C&C server. The sent data also contains the internal version of the ransomware.
Data Contains Internal Version of Gandcrab - Gandcrab Analysis

The server responds, and encryption starts. After the encryption the sample does another check-in to notify the C&C about the successful encryption.

Encryption
C&C Encryption Notification - Gandcrab Analysis

A new thread iterates the drive using FindFirstFile – FindNextFile and encrypts the files which have the right extension.

Encrypts with Correct Extension - Gandcrab Analysis

Shadow Copy Removal
After encryption, the sample removes shadow copies, using wmic on Vista and later, and vssadmin on XP and earlier.

Removes Shadow Copies - Gandcrab Analysis

Wallpaper
Changing the wallpaper is a new feature in v3.

Gandcrab 3.0 Wallpaper - Gandcrab Analysis

The wallpaper is not hardcoded inside the sample, it’s drawn at runtime using the DrawText function.

Wallpaper Drawn Using DrawText - Gandcrab Analysis

The wallpaper file is dropped in the temp folder, and the wallpaper is then changed with SystemParametersInfo.

Wallpaper File Dropped - Gandcrab Analysis

Reboot
Finally, the sample sets a reboot in 60 seconds and opens the download page for the Tor browser.
Gandcrab Sets Reboot - Gandcrab Analysis

Conclusion

Although GandCrab is not a sophisticated piece of malware, it is used in widespread and frequent campaigns via different distribution methods. The family reacts quickly to changes like the decryptor for the v1 version, and adds new features often, making it one of the most prevalent malware families in 2018.

Samples

Gandcrab v1.0
January Malware Analysis recap blog
Gandcrab sample: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d
Unpacked: 0c0def0788b5f946bb2d1a83d883d474550353c98eaffb4456d651cb4bcc3bd9
JS dropping v1.2.0
VMRay Analyzer Report
Dropper: b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc
Dropped Gandcrab sample: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9
Unpacked DLL: ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072
DOC dropping v2.3.1
VMRay Analyzer Report
Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
Dropped Gandcrab sample: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
Unpacked DLL: f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01
JS dropping v3.0.0
VMRay Analyzer Report
Dropper: e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c
Dropped Gandcrab sample: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8
Unpacked DLL: 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71
Grandsoft EK dropping v3.0.0
VMRay Analyzer Report
Exploit: a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94
Dropped Gandcrab sample: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff
Injected DLL: 469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181
RIG EK dropping v3.0.1
VMRay Analyzer Report
Exploit (swf): ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc
Downloader (js): 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725
Dropped Gandcrab sample: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94
Unpacked DLL: 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e
Regular Gandcrab v3.0.1 payload
VMRay Analyzer Report
Gandcrab sample: 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559
Unpacked DLL: e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1
Gandcrab v3.0.1 payload with missing features
VMRay Analyzer Report
Gandcrab sample: 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363
Unpacked DLL: 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133
Encrypted doc dropping Gandcrab v3.0.1
VMRay Analyzer Report
E-mail: b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b
Dropper (password 123123): be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f
Gandcrab sample: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
Unpacked DLL: 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770