{"id":2874,"date":"2024-09-25T20:17:31","date_gmt":"2024-09-25T20:17:31","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2874"},"modified":"2025-07-29T05:53:33","modified_gmt":"2025-07-29T05:53:33","slug":"gandcrab-ransomware-scuttles-files-demands-tor-download-to-retrieve-files","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/gandcrab-ransomware-scuttles-files-demands-tor-download-to-retrieve-files\/","title":{"rendered":"GandCrab ransomware scuttles files, demands TOR download to retrieve files"},"content":{"rendered":"
\n
\"crabs\"<\/figure>\n<\/div>\n\n\n

Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels. \u00a0

The sample we discovered for analysis is: 5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011

File size: 129 KB

Infection<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Ransom_GANDCRAB detection<\/em>

Versions and resources of both the files are same:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Resource -Icon of the file<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Versions details of both\u00a0the ransomware samples<\/em>

Encryption<\/strong>

We loaded the sample in our debugger to further explore the malware\u2019s behaviour:

00401424 \u00a0 |. \u00a0FF15 54F04000 \u00a0CALL DWORD PTR DS:[<&KERNEL32.GlobalAlloc>] \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0; \\GlobalAlloc

GlobalAlloc functions are used in memory management, mostly in decrypting or decoding the codes in the file.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 decoding functions<\/em><\/p>\n\n\n\n

We traversed to the highlighted subroutines in the above snapshot: Address 4011F1. When we execute all those instructions, we arrived at the below location:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 5 Jmp to decrypting code<\/em>

After further debugging the code, we found the file included a number of anti-debugging tricks:<\/p>\n\n\n\n

0405927: call dword ptr [0040F0CCh]    \/\/IsDebuggerPresent@KERNEL32.DLL <\/strong><\/td><\/tr>
040592d: mov dword ptr [004153B8h], eax<\/td><\/tr>
040593a: push 00000000h <\/td><\/tr>
040593c: call dword ptr [0040F0C8h]   \/\/SetUnhandledExceptionFilter@KERNEL32.DLL <\/strong><\/td><\/tr>
0405942: push 0040F530h <\/td><\/tr>
0405947: call dword ptr [0040F0C4h]    \/\/UnhandledExceptionFilter@KERNEL32.DLL <\/strong><\/td><\/tr>
040594d: cmp dword ptr [004153B8h], 00000000h <\/td><\/tr>
0405954: jne 0040595Eh<\/td><\/tr>
0405956: push 00000001h <\/td><\/tr>
0405958: call 00409B47h<\/td><\/tr>
040595d: pop ecx <\/td><\/tr>
040595e: push C0000409h <\/td><\/tr>
0405963: call dword ptr [0040F0C0h]    \/\/GetCurrentProcess@KERNEL32.DLL <\/strong><\/td><\/tr>
0405969: push eax <\/td><\/tr>
040596a: call dword ptr [0040F068h]   \/\/TerminateProcess@KERNEL32.DLL<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The above code all centres on anti-debugging tricks. We also observed multiple network-related artefacts in the code:<\/p>\n\n\n\n

0406ddb: push dword ptr [esi+04h] <\/td><\/tr>
0406dde: call dword ptr [004091D0h]   \/\/InternetConnectW@WININET.DLL <\/td><\/tr>
0406e2a: push 00410938h    \/\/HTTP\/1.1 <\/td><\/tr>
0406e30: push dword ptr [ebp+28h] <\/td><\/tr>
0406e34: call dword ptr [004091C4h]    \/\/HttpOpenRequestW@WININET.DLL <\/td><\/tr>
0406e4d: call dword ptr [004091C0h]    \/\/HttpSendRequestW@WININET.DLL <\/td><\/tr>
0406e96: call dword ptr [004091D4h]    \/\/InternetReadFile@WININET.DLL <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

These instructions are picked selectively to spot network connection calls. During our analysis, we observed the malware contact the following domains:

\u2022    ipv4bot.whatismyipaddress.com \u2013 this is used to detect the network\u2019s IP address.

\u2022    a.dnspod(.)com \u2013 we checked this in Virustotal which Fortinet AV flagged as malware.

Registry entries and file creation:<\/strong>

A duplicate MD5 of the parent file is dropped in the %appdata%\\Microsoft folder with a random name.<\/p>\n\n\n\n

C:\\Documents and Settings\\UserName\\Application Data\\Microsoft\\wgpspj.exe<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

And same file is targeted in the created registry key:<\/p>\n\n\n\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce “ulclieptfog”
Type: REG_SZ
Data: “C:\\Documents and Settings\\UserName\\Application Data\\Microsoft\\wgpspj.exe”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

To find the randomness of the file name and registry key value, we reverted to the clean state before executing the file. A duplicate file gets created with <random name.exe>. The \u2018Runonce\u2019 key\u2019s value part is also randomly generated. An example is below:<\/p>\n\n\n\n

C:\\Documents and Settings\\UserName\\Application Data\\Microsoft\\<random file name.exe><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Random value:<\/p>\n\n\n\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce “<random value part>”
Type: REG_SZ
Data: “C:\\Documents and Settings\\UserName\\Application Data\\Microsoft\\<random file name.exe>”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In %appdata% location, the malware drops a text file called \u2018GDCB-DECRYPT.txt\u2019. This contains the malware\u2019s ransom note. The user is instructed to purchase a private key after downloading the Tor browser:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 GDGB-DECRYPT.txt<\/em>

Threat Indicators \u2013 IOC details<\/strong>

File Hashes:

SHA 256: 5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011

Malicious domain:

a.dnspod(.)com

TOR Link:

hxxp:\/\/gdcbghvjyqy7jclk.onion.top\/259a4fdc3766943

hxxp:\/\/ gdcbghvjyqy7jclk.onion.casa\/259a4fdc3766943

hxxp:\/\/gdcbghvjyqy7jclk.onion.guide\/259a4fdc3766943

File extension added by this variant of ransomware:

.GDCB

Registry key:

Key: HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE” \u00a0

Value: “Random value name on each execution”

Physical location: %appdata% under <Microsoft folder> <Random file name on each execution>

Conclusion<\/strong>

We advise users to apply the IOC details and set alerts in order to prevent infection. Further, users should always exercise caution when receiving attachments from unknown users.\u00a0

Updated anti-malware with anti-ransomware modules can also help combat ransomware attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"

Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.   The sample we discovered for analysis is: 5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011 File size: 129 KB Infection Figure 1 Ransom_GANDCRAB detection Versions and resources of both the files are same: Figure 2 […]<\/p>\n","protected":false},"author":1,"featured_media":2881,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2874","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2874"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2874\/revisions"}],"predecessor-version":[{"id":4297,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2874\/revisions\/4297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2881"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}