# The Evolution of GandCrab Ransomware **[vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/](http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/)** _[Editor’s Note: This post was updated on July 9th, 2018 with analysis of Gandcrab v4]_ Like legitimate commercial software, commercial malware also needs a viable business model. For ransomware, the most popular business model is now Ransomware-as-a-Service (RaaS). RaaS focuses on selling ransomware as an easy-to-use service, opening up a broader market of non-technical attackers. Many ransomware developers now focus on developing and maintaining a service which allows their affiliates (customers) to start attacks with just a few clicks. In the past few months, the RaaS-space was dominated by a relatively new malware family: GandCrab. ## Gandcrab’s Distribution Methods We’ve seen Gandcrab being distributed using two primary methods: Javascript and Doc downloaders attached to e-mails Drive-by download using exploit kits ### Javascript Droppers **Javascript Dropper #1** [View the VMRay Analyzer Report](https://www.vmray.com/analyses/javascript-dropper-gandcrab-analysis-1/report/overview.html) ----- A common distribution method is zipped Javascript droppers attached to emails. After deobfuscating itself the javascript executes a Powershell one-liner to download and execute a file, Gandcrab v2 (internal version 1.2.0). Dropper: `b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc` Dropped Gandcrab v1.2.0: ``` 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9 ``` Unpacked DLL: ``` ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072 ``` ### Javascript Dropper #2 [View the VMRay Analyzer Report](https://www.vmray.com/analyses/javascript-dropper-gandcrab-analysis-2/report/overview.html) Javascript Dropper #2 doesn’t use PowerShell. Instead, it downloads the file and executes it directly. The payload is Gandcrab v3 (internal version 3.3.0). Dropper: `e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c` Dropped Gandcrab v3.0.0: ``` 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8 ``` Unpacked DLL: ``` 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71 ``` ### Doc Droppers **Doc Dropper** [View the VMRay Analyzer Report](https://www.vmray.com/analyses/doc-dropper-gandcrab-analysis/report/overview.html) ----- Doc Droppers use the same logic as the Javascript Droppers, but implemented in VBA. This sample contains an 800 line VBA script like this snippet: The end result is another PowerShell one-liner, which downloads an EXE to a temporary directory, and executes it. Dropper: `99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809` Dropped Gandcrab v2.3.1: ``` 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f ``` Unpacked DLL: ``` f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01 ``` **Encrypted Doc Dropper** [View the VMRay Analyzer Report](http://www.vmray.com/analyses/encrypted-doc-gandcrab-3-0-1-analysis/report/overview.html) A more recent spam campaign used encrypted doc files, with the emails containing the password to open the doc: 123123. This dropper executed the sample (Gandcrab v3.0.1) directly with VBA, without Powershell. ----- E-mail: `b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b` Dropper: `be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f` Dropped Gandcrab v3.0.1: ``` 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac ``` Unpacked DLL: ``` 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770 ``` ### Exploit Kits Attackers also used multiple exploit kits: Grandsoft, RIG and Magnitude. Using a browser exploit kit is a tradeoff from the attacker’s point-of-view. If the victim has an unpatched version of browser or flash player, they only need to click a link to get infected. It is much easier for the attacker to get someone to click a link than to get them to download and execute a file — but the attack won’t work if the potential victim has even roughly up-todate software. ### RIG EK [View the VMRay Analyzer Report](https://www.vmray.com/analyses/rig-exploit-kit-gandcrab-3-0-1-analysis/report/overview.html) RIG is a popular exploit kit, which has recently been updated with a newer Flash exploit [(CVE-2018-4878). It used the new exploit for dropping Gandcrab, observed on April 9 by](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4878) [@nao_sec.](https://twitter.com/nao_sec) ----- As visible on the sandbox report and the packet capture, this attack vector exploited Adobe Flash Player, downloaded and executed Gandcrab v3.0.1. RIG used the Flash exploit for CVE-2018-4878. This happened before a new exploit for an Internet Explorer vulnerability (CVE-2018-8174) was implemented in RIG. CVE-2018-4878 is also a relatively new vulnerability – on February 1st Adobe released a bulletin, informing users that a Flash player zero-day is being used in the wild, and followed up with a patch on February 6th. The exploit uses a use-after-free bug in Flash Player’s DRM implementation. The downloaded SWF file is partly obfuscated, but it contains some debug symbols, making some key parts of the exploit easy to spot, like the class `UAFGenerator .` ----- The payload of the exploit is visible in the sandbox report – cmd.exe is called to drop and execute a javascript downloader. Even after a little bit of deobfuscation, the downloader activity becomes clear: ----- The downloaded file is dropped in the %TEMP% directory with the name b**.exe, where ** is a number in the [0, 56] range. At the end the dropper executes the downloaded Gandcrab v3.0.1 payload. Exploit (swf): ``` ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc ``` Downloader (js): ``` 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725 ``` Dropped GandCrab v3.0.1: ``` c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94 ``` Unpacked DLL: ``` 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e ``` ### Grandsoft EK [View the VMRay Analyzer Report](https://www.vmray.com/analyses/grandsoft-exploit-kit-gandcrab-analysis/report/overview.html) Grandsoft is an exploit kit which is used far less frequently, it made a comeback with dropping GandCrab, spotted on January 30 by [@kafeine.](https://twitter.com/kafeine) ----- [Hello again GrandSoft EK. Dropping … GandCrab pic.twitter.com/yfjzju16KG](https://t.co/yfjzju16KG) [— Kafeine (@kafeine) 30 January 2018](https://twitter.com/kafeine/status/958298409944920064?ref_src=twsrc%5Etfw) The attack is visible in the VMRay Analyzer Report: For an old Internet Explorer version, the exploit kit served CVE-2016-0189, an exploit of a memory corruption vulnerability in Internet Explorer’s vbscript.dll. This is an old vulnerability, patched in May 2016, which allows running arbitrary vbscript code on unpatched systems. The VBS exploit code is obfuscated, but still readable. The downloader is in the fire() function. It first downloads the file (See Figure below): It then executes the downloaded file, depending on its extension: ----- The full control flow shows the exploited Internet Explorer process downloaded an exe file (Gandcrab v2.1, internal version 3.0.0), and executed it with cmd.exe. The Process Graph shows the Gandcrab packer injected its DLL payload into svchost.exe. Exploit: `a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94` Dropped file: ``` 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff ``` Injected dll: `469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181` ### Packer Gandcrab uses its own packer, which has only changed a little through all the versions. **Sandbox Evasion: API hammering** Even the first versions of Gandcrab used API hammering, a very simple sandbox evasion technique. The technique calls an API function in a loop, hoping the analysis will time out before reaching any malicious behavior. This can be effective against sandboxes which handle the loop slowly – the slower a sandbox is, the more dramatic are the effects of API hammering. Gandcrab’s packer often mixes the technique with one of the two following techniques: ----- 1. Doing something in the loop that s necessary for the execution to continue. This ensures that the loop can’t simply be detected as unnecessary and skipped automatically. 2. Loop cycles where no APIs are called. Each version of the Gandcrab packer uses different API functions, and iteration numbers, but the principle is the same. In this v1.0 sample the loop is repeated 200 million times, but only one of its iterations is useful: _Sample_ _SHA256: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d_ In this v3.0.0 sample the loop gets the temp path and allocates memory, but takes 5 million loops to do it: ----- _Sample_ _SHA256: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8_ ### Reflective Loader Gandcrab v2’s (internal version v.1.0.0r), main functionality is moved to a DLL. The DLL’s name is “encryption.dll”, and only exports the entry point, and a function named ReflectiveLoader() . The packer calls the ReflectiveLoader function, loads the DLL and starts the malicious activity which is in DLLMain. The DLL is loaded in the same process for most samples, but with Gandcrab 3.0.0 it was observed injecting the DLL into a newly spawned svchost process. ----- _Sample SHA256: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff_ ### String Obfuscation Method The packer and the payload use the same method to obfuscate strings used as API parameters for many calls: simply moving them to the stack in 4-byte blocks before the calling a function which uses them as a parameter. [@hasherezade made a deobfuscator IDA](https://twitter.com/hasherezade?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Ftwitter.com%2Fhasherezade%2Fstatus%2F985999130559381507) plugin for this technique. [#GandCrab string deobfuscator (a script for](https://twitter.com/hashtag/GandCrab?src=hash&ref_src=twsrc%5Etfw) [#IDA):](https://twitter.com/hashtag/IDA?src=hash&ref_src=twsrc%5Etfw) [https://t.co/jzLl1SOLSR](https://t.co/jzLl1SOLSR) [pic.twitter.com/A5tk3uKnch](https://t.co/A5tk3uKnch) [— hasherezade (@hasherezade) 16 April 2018](https://twitter.com/hasherezade/status/985999130559381507?ref_src=twsrc%5Etfw) Function resolution within the packer. Obfuscated string in the payload. ----- ### Easter Eggs for Researchers The packer and payload also contain messages to researchers who made a public impact on Gandcrab, or ransomware in general. [If a file exists in the C:\MalwarebytesLabs directory, a message to Marcelo Rivero pops up.](https://twitter.com/MarceloRivero) Hello, [#GandCrab](https://twitter.com/hashtag/GandCrab?src=hash&ref_src=twsrc%5Etfw) 🙂 [pic.twitter.com/ICHixxoIkI](https://t.co/ICHixxoIkI) [— Marcelo Rivero (@MarceloRivero) 17 April 2018](https://twitter.com/MarceloRivero/status/986045072272691201?ref_src=twsrc%5Etfw) Fabian Wosar’s name is used as a placeholder string multiple times per sample. Communication with the C&C is encrypted with a hardcoded key. Since the release of Gandcrab v2, this key is computed using the string “europol” – the name of the agency partly responsible for creating a decryptor for v1. ----- ### Gandcrab v4 Packer Version 4.0 of Gandcrab rewrites large parts of the ransomware with many previously implemented features missing. The removed features include parts of the packer. The packer doesn’t use the reflective DLL loading method anymore, and reverts to simply replacing parts of its own process in memory. Besides the removal of the DLL loading technique, a new obfuscation technique was added to the beginning of the packer. The technique starts by moving the obfuscated code to the stack in 4-byte blocks, like the string obfuscation method from previous versions. After this, the packer proceeds to use subtractions and additions to deobfuscate the code on the stack. ----- The first samples of v4.1 we’ve seen were unpacked, but later samples were packed with the same packer as v4.0. ### Gandcrab Payload History **Gandcrab v1** The GandCrab payload exhibits stereotypical ransomware behavior: it encrypts user files with a key unique to the victim, and drops ransom notes with instructions to pay the ransom in exchange for the key. Gandcrab was first publicly discovered by security researcher David Montenegro in late January 2018. In one month the family had over 50,000 victims. Unusually, the ransom needed to be payed in the crypto-currency DASH, now they also accept bitcoin. We [analyzed GandCrab v1 in our January Malware Analysis recap blog.](https://www.vmray.com/blog/vmray-malware-analysis-report-recap-january-2018/) At the end of February, a decryptor was published for GandCrab v1 in a joint effort by the Romanian Police (IGPR), Bitdefender and Europol. **Gandcrab v2** ----- On March 5th, just a week after the decryptor was released, a new Gandcrab version was spotted by [@MalwareHunterTeam. The decryptor from the previous week doesn’t work with](https://twitter.com/malwrhunterteam) the newer version. It also uses a new extension (.CRAB), has different hardcoded domains, and moves the code to a DLL. It also looks for kernel-mode components of Antivirus software. [GandCrab2 (“version=1.0.0r”) sample: https://t.co/et7XM5DuzK](https://t.co/et7XM5DuzK) [If someone didn’t understand the previous thread (https://t.co/8iuXk9Phwa), these are](https://t.co/8iuXk9Phwa) [from this.@BleepinComputer](https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw) [@demonslay335](https://twitter.com/demonslay335?ref_src=twsrc%5Etfw) cc [@MarceloRivero](https://twitter.com/MarceloRivero?ref_src=twsrc%5Etfw) [— MalwareHunterTeam (@malwrhunterteam) 5 March 2018](https://twitter.com/malwrhunterteam/status/970757444241707008?ref_src=twsrc%5Etfw) **Internal Version and Ransom Note** Gandcrab’s ransom notes contain a version number, and the payload contains another, “internal” version number, which is sent over the network when connecting to the C&C. Most often these two version numbers don’t match (see example below where the ransom note indicates version 2.1). _Sample SHA256:_ _846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f)._ Internal version number reported to the C&C for the same sample is 2.3.2. **Gandcrab v3** [A Gandcrab sample with internal version 3.0.0 was spotted on Apr 23 by @nao_sec, later](https://twitter.com/nao_sec/status/988451194573017088?ref_src=twsrc%5Etfw) [followed by v3.0.1 first published by @zsawei on May 9th. Version 3.0.0 added support for](https://twitter.com/zsawei/status/994454718406578176) changing the wallpaper. ----- **Discrepancies Between v3.0.0 Samples** It was observed that two samples with the same internal version number (3.0.0) had different [capabilities: one of the samples injects its payload into a new svchost process while another](https://www.vmray.com/analyses/grandsoft-exploit-kit-gandcrab-analysis/report/overview.html) one doesn’t start a new process, but can now change the wallpaper. **Gandcrab v3.0.1** [View the VMRay Analyzer Report](https://www.vmray.com/analyses/gandcrab-ransomware-3-0-1-analysis/report/overview.html) Packed sample: ``` 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559 ``` Unpacked DLL: ``` e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1 ``` Usually the single difference between v3.0.0 payloads and v3.0.1 payloads is the user agent, and everything else is the same. ----- Old User Agent: `Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36` ``` (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 ``` The new User Agent: `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)` ``` like Gecko ``` Everything else is the same. ----- **Discrepancies Between v3.0.1 Samples** [The sample discovered by @zsawei was very different — it was compiled without certain](https://twitter.com/zsawei/status/994454718406578176) functions, which have been there in previous versions: wallpaper changing, autorun, search for kernel-mode antivirus. Missing functions: ----- Packed sample: ``` 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363 ``` Unpacked DLL: ----- ``` 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133 ``` **Gandcrab v4** [Gandcrab Version 4.0 appeared in the wild on July 1st, 2018. On July 5th, we found an](https://www.vmray.com/analyses/gandcrab-ransomware-4-0-analysis/report/overview.html) updated v4.1 version. [[#Malware Analysis] New](https://twitter.com/hashtag/Malware?src=hash&ref_src=twsrc%5Etfw) [#Gandcrab sample, internal version 4.1 contacts 36 hosts](https://twitter.com/hashtag/Gandcrab?src=hash&ref_src=twsrc%5Etfw) [https://t.co/SmYaMz4h7W](https://t.co/SmYaMz4h7W) [pic.twitter.com/MTPIBF0rsL](https://t.co/MTPIBF0rsL) — VMRay (@vmray) [5 July 2018](https://twitter.com/vmray/status/1014872871531962369?ref_src=twsrc%5Etfw) Gandcrab v4 has brought many changes from previous versions including modifications replacing most of the code and a focus on quickly encrypting, then disappearing from the system. Below are the changes in v4 from previous versions. The new extension of encrypted files is KRAB, and the ransom note is named KRABDECRYPT.txt The ransom note contains a private and a public key. The keys are also written to the registry in “HKEY_CURRENT_USER\SOFTWARE\keys_data\data” A new encryption algorithm is used. The ransomware now also looks for network shares in a separate thread. Hidden .lock files are dropped into the folders before encrypting contents of the folder Gandcrab v4.0 doesn’t connect a C&C. The ransomware still collects the same data it did on previous versions, (except for the external IP address), and it also creates the string which it would upload to the server, it just doesn’t send it. In v4.1 the C&C connection is back, and it has a URL generation algorithm, replacing the hardcoded URLs seen in v3 ----- ----- ----- The encryption happens on a different thread than the C&C communication, and the files are encrypted even if the C&C could not be connected. Gandcrab removes itself after it’s done. Removed Features: There is no autorun. Gandcrab runs once, then deletes itself. The wallpaper isn’t changed The mutex is not created No kernel-mode AV checking Doesn’t query the machine’s public IP address from ipv4bot.whatismyipaddress.com ### Payload Control Flow Most of Gandcrab’s activity is constant through the versions. The screenshots below show Gandcrab v3’s control flow: **Data collection and preparation** Gandcrab first collects data about the system and generates private and public keys. **Domain** Queries the domain the system belongs to. **Processor Name** Queries the processor name and type. ----- **Mutex** Generates the ransom ID and creates a mutex. This step is skipped in Gandcrab v4. **Kernel-Mode AV** In v2 and v3, Gandcrab starts a thread to look for kernel-mode antivirus components. List of detected kernel-mode AV-components: klif.sys (Kaspersky) kl1.sys (Kaspersky) fsdfw.sys (F-Secure) srtsp.sys (Symantec) srtsp64.sys (Symantec) NavEx15.sys (Symantec) NavEng.sys (Symantec) ----- **Closing Processes** Samples contain a list of hardcoded process names, which are terminated before encryption starts. Otherwise the processes could have open handles to important files, and the ransomware wouldn’t be able to encrypt them. List of closed processes, constant through versions: msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr exe ----- sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exeisqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exeagntsvc.exe agntsvc.exeencsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe sqlservr.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe **Autorun** In v2 and v3, Gandcrab adds itself to autorun via a registry key. ----- **Key Generation** A private and public key is generated. **Keyboard Layout** The sample queries the keyboard layout, but only stores if it is Russian or not. **Windows Product Name** Queries the Windows product name. **Processor Architecture:** Queries processor architecture. **Collects Running Antivirus Processes:** Compares running processes with a hardcoded list of antivirus process names. List of detected antivirus processes, constant through all versions: AVP.EXE ekrn.exe avgnt.exe ----- ashDisp.exe NortonAntiBot.exe Mcshield.exe avengine.exe cmdagent.exe smc.exe persfw.exe pccpfw.exe fsguiexe.exe cfp.exe msmpeng.exe **Iterate Through all Drives** The malware iterates through all letters, to check which drives exist. If the drive exists, it queries and stores free and used disk space. **IP Address** The malware uses whatismyipaddress.com to query the machine’s IP before v4. ----- **C&C Check-ins** Before v4 the samples have their C&C server names hardcoded, and use the `.bit` TLD. Since .bit addresses cannot be resolved by most DNS servers, Gandcrab uses nslookup to resolve the IP addresses. The hardcoded C&C servers and DNS names change from version-to-version. In v4.0 there is no C&C communication at all, and in v4.1 the URLs are generated by the malware, instead of being completely hardcoded. The data collected in the previous steps is encrypted with a hardcoded key, and then POSTed to the C&C server. The sent data also contains the internal version of the ransomware. The server responds, and encryption starts. After the encryption the sample does another check-in to notify the C&C about the successful encryption. **Encryption** A new thread iterates the drive using FindFirstFile – FindNextFile and encrypts the files which have the right extension. ----- **Shadow Copy Removal** After encryption, the sample removes shadow copies, using wmic on Vista and later, and vssadmin on XP and earlier. ----- **Wallpaper** Wallpaper changing was a new feature in v3, which was later removed in v4. ----- The wallpaper is not hardcoded inside the sample, it’s drawn at runtime using the DrawText function. The wallpaper file is dropped in the temp folder, and the wallpaper is then changed with SystemParametersInfo. **Reboot** Finally, the sample sets a reboot in 60 seconds and opens the download page for the Tor browser. The reboot and browser opening is removed from Gandcrab v4. Since v4, the malware instead removes itself after it’s done. ----- ## Conclusion Although GandCrab is not a sophisticated piece of malware, it is used in widespread and frequent campaigns via different distribution methods. The family reacts quickly to changes like the decryptor for the v1 version, and adds new features often, making it one of the most prevalent malware families in 2018. ### Samples **Gandcrab v1.0** [January Malware Analysis recap blog](https://www.vmray.com/blog/vmray-malware-analysis-report-recap-january-2018/) Gandcrab sample: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d Unpacked: 0c0def0788b5f946bb2d1a83d883d474550353c98eaffb4456d651cb4bcc3bd9 **JS dropping v1.2.0** [VMRay Analyzer Report](https://www.vmray.com/analyses/javascript-dropper-gandcrab-analysis-1/report/overview.html) Dropper: b4b6f6c2588001e5b95eed79faf99a92b9d9224f65af6a92e055ddfb145a1ecc Dropped Gandcrab sample: 063cf82cd52acb6a0539a6ff59f72fb5de473293a06c470a92c6d35a151b73e9 Unpacked DLL: ed8875c88bf061f45601629fbb3faa9f5b9ea4a076ba5a7accd566dc40862072 **DOC dropping v2.3.1** [VMRay Analyzer Report](https://www.vmray.com/analyses/doc-dropper-gandcrab-analysis/report/overview.html) Dropper: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809 Dropped Gandcrab sample: 846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f Unpacked DLL: f93379f495ce3c025b8f2ad59779d2de28f00a25b6206572522a71028f925f01 **JS dropping v3.0.0** [VMRay Analyzer Report](https://www.vmray.com/analyses/javascript-dropper-gandcrab-analysis-2/report/overview.html) Dropper: e7851a1b3e93968e7f6b92a1a3f59d250402be15a5bcb3262acff1e0a27b912c Dropped Gandcrab sample: 6a8d922e34de35ac074b7de54d71227fb1a1ed92b9cfbc4daf8d64a9c5bc46b8 Unpacked DLL: 67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71 **Grandsoft EK dropping v3.0.0** [VMRay Analyzer Report](https://www.vmray.com/analyses/grandsoft-exploit-kit-gandcrab-analysis/report/overview.html) Exploit: a67a98047097f2249eba7a31138efde45f3c02a3f7f46d3a9de85d630da7cd94 Dropped Gandcrab sample: 6fafe7bb56fd2696f2243fc305fe0c38f550dffcfc5fca04f70398880570ffff ----- Injected DLL: 469961813372d2a3645cf9927c983f5d661e2a60589425d9259e7658de63a181 **RIG EK dropping v3.0.1** [VMRay Analyzer Report](https://www.vmray.com/analyses/rig-exploit-kit-gandcrab-3-0-1-analysis/report/overview.html) Exploit (swf): ad5dbe133677c987f95fc890ab37a48d9d2f9324a53356affd078e26d3cbb8fc Downloader (js): 7fab866ce5474e690a06ca556c76e63a3c3c184ae493fce03bb2a839ef7ef725 Dropped Gandcrab sample: c0db3c329592294a81f23c37e701a189110913c17d1371bc625a3eae97f37a94 Unpacked DLL: 243cafdc3582a750537fb7a4ba4e9640f4142f385478c106514bae0d736f462e **Regular Gandcrab v3.0.1 payload** [VMRay Analyzer Report](https://www.vmray.com/analyses/gandcrab-ransomware-3-0-1-analysis/report/overview.html) Gandcrab sample: 8a1e66b4834499dacc24abb27733c387733d919070fc504b14ee865678952559 Unpacked DLL: e9bfa9691b48a75fa917a37290cb32b02ded3ae60dab4bcd625e8f390fd345a1 **Gandcrab v3.0.1 payload with missing features** [VMRay Analyzer Report](https://www.vmray.com/analyses/gandcrab-3-0-1-payload-missing-features-analysis/report/overview.html) Gandcrab sample: 5ab28933afa89bd0924ed45538b753cd260d0a6cec76eeca30d040476cf6d363 Unpacked DLL: 03b73dfe73dc7f9191e0c3a34801dd0e906b3ba8c77de76681a23a7c34cb5133 **Encrypted doc dropping Gandcrab v3.0.1** [VMRay Analyzer Report](https://www.vmray.com/analyses/encrypted-doc-gandcrab-3-0-1-analysis/report/overview.html) E-mail: b4d0b03ca50f013b4f0f9efc2ecd822bfc13325356100f2f4d36eaf217d9077b Dropper (password 123123): be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f Gandcrab sample: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac Unpacked DLL: 229275aa89ea8d39b3cc721d45d51d50707339b64afddde99119ebdf50ef6770 **Gandcrab v4.0** [VMRay Analyzer Report](https://www.vmray.com/analyses/gandcrab-ransomware-4-0-analysis/report/overview.html) Gandcrab sample: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23 Unpacked: 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d **Gandcrab v4.1** [VMRay Analyzer Report](https://www.vmray.com/analyses/gandcrab-ransomware-4-1-analysis/report/overview.html) First public samples (unpacked): 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a 6987fd73457ac0b5c245886532b1bdf5d58cb43890e04b706ebba44727403311 ----- **Later v4.1 Sample** Packed: 06ee45a770fa1a88b62d28059c2c44310f7ff56edbdaf35a0b9c44f2a4e57536 Unpacked: f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2 -----