Thursday, November 8, 2018

R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'

GandCrab is one of the known ransomware in the wild that keeps on updating, Actually in past few days security researchers found out that a new version was released. While analyzing this file, the malware artifacts that download the said new version of GandCrab shown by great security website malware-traffic-analysis  catches my interest. So I unpacked the code and analyze it and interestingly it is not only a downloader but also contain some "anti Sanbox/VM technique" function, bypassing firewall and Windows Defender, embedding itself to rar archive files, worm capabilities via removable drives and many more. So lets dig more to its code... :)

Checking Sandbox and Virtual Machine Process and Module Names:

This  Malware Downloader can checks whether  its file is running in a sandbox or virtual machine, by checking 16 process name hard coded to its code. (interestingly it includes "python.exe" to its checking, since python is known common scripting tools used in malware sandbox :) ). If one of those process was found in infected machine it will end its process by call ExitProcess API.

fig. 1 - SandBox/VM ProcessName it checks

fig. 2 - Enumerating Running Process

It also checks some modules or module exported API to detect sandbox environment. example it checks if "kernel32.dll" contains "wine_get_unix_file_name" exported API, because this export function is common in wine software designed for executing windows application in unix which is common in some linux base malware sandbox. if this exported api found, exit the process

fig. 3 - checking the "wine_get_unix_file_name" API

It can also check sandboxie or sysanalyzer environment by checking some modules in the infected machine. By using GetModuleHandle API to check whether the API is available. If the API returns handle then it means that its code is running in the said environment then it will exit the process.

fig. 4 - sandbox modules
fig. 5 - for loop in checking sandbox modules

It also CreateMutex Name "75969590" to make sure only one instance of its code is running in the system.

create %regrun% key to persist on the infected machine.

Bypassing Firewall and Windows Defender Anti-Virus:

This GandCrab component bypassed the firewall by adding the path of copy of itself  "%windir%\T80870405687060\winsvcs.exe" with hidden attribute to the "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"

Then to bypass Windows Defender and disable system restore, it tries to enable some registry entry that disable some features of the said AV including system restore disabling:

fig. 6 - bypassing Windows Defender and disabling system restore

Deleting Download Meta-Information finger print:

It will delete the "<malware-process.exe>"zone.identifier"ADS, which is the meta-information to track that the file is downloaded from internet.

fig. 7 - deleting zone.identifier meta-information

Propagation Via Removable Drive:

After Bypassing Windows Defender, it will execute 3 separate Threads. The first Thread is responsible for propagating via removable drives.The thread contain an infinite while loop that looking for removable drive that may attach to the infected machine but not "A:\" or "B:\" with 1 second sleep.

fig. 8 - Worm propagation through removable drives

If removable drives was found during this scan it will call the function that will do the actual worm propagation. The said function will create a ".lnk" with map drive icon that are pointing to another copy of itself "DeviceManager.exe" place to the new directory "_" it creates in hidden attribute. this technique may lure the user to click the .lnk file that looks like map drive to execute its code, aside from that it also create autorun.inf that execute the said copy of itself upon opening the removable drive.

fig. 9 - worm component

fig. 10 - building the fake .lnk and the autorun.inf file\

fig. 11 - the fake .lnk file: %windir%\system32\cmd.exe /c start _ & _\DeviceManager.exe & exit

it also tries to delete the following type of files exist on the removable drive.

fig. 12 - deleting some file types in removable drive.

Embedding itself to the RAR Archived file:

Another interesting stuff is in the 2nd thread, where it creates another copy of itself in %temp% folder name as "Windows Archive Manager.exe" then look for a Rar archived files within infected machine to embed the copy of itself to it, namely as "Windows Archive Manager.exe".

fig. 13 - finding archive files with Rar! file header.

 After letting the bait .rar file I created to be modified, you can notice right away that the size is got bigger and the copy of itself in %temp% is embed to the archive file. I tried to extract the modified archive file and I got some error but I still able to extract the original file in archive. maybe there is a specific rar file version to make this archive embedding technique works or malware author missed something in the rar header. (I will try to look more to this interesting stuff :) )

fig. 15 - the modified Rar Archive file.

fig. 16 - error in extracting but the original one is recoverable

Downloading GandCrab Ransomware:

And of course the last thread is dealing with downloading new version of GandCrab ransomware name as "t.exe" with the following specific user agent.

fig. 17 - downloading new version of GandCrab ransomware.


Known malware keep using other modules and component to do their evil stuff, to make the analysis more hard and to hide the big picture of the infection from the security analyst or security researcher. Sometimes malware components that looks too simple or linear, may contains bunch of interesting stuff to look for.


Filename: %windir%\T80870405687060\winsvcs.exe
md5: 77ab057031aed055f40dbcd22c8eeb47
Sha256: 796a87b9905c52ff7d1da91f2ff980b5dfdb9437a09624ccb4e6d8fe470ea666
Filesize:  156 KB (159,744 bytes)

unpack version
Sha1: 7b348fa38931e8313e2ba621c07bf6085e6770eb
md5: b464576150cd921b6f9cbd01923392b1
Sha256: 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4

Copy of itself filename:
%Temp%\Windows Archive Manager.exe

worm component:
%removable_drive\_ (directory '_' )

user agent:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"



autostart registry:

Yara Rule:

import "pe"

rule gandcrab_win32_downloader_unpack {
        author =  "tccontre"
        description = "detecting gandcrab downloader"
        date =  "2018-11-08"
        sha256 = "7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4"
        $mz = { 4d 5a }
        $s1 = "open=_\\DeviceManager.exe" fullword
        $s2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0" fullword
        $c0 = "DisableAntiSpyware" fullword wide
        $c1 = "DisableBehaviorMonitoring" fullword wide
        $c2 = "FirewallDisableNotify" fullword wide
        $c3 = "ls\\T80870405687060" fullword
        $c4 = "Recycle.Bin" fullword wide
        $c5 = "autorun.inf" fullword wide
        $code1 = { 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 }
        $code2 = { D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB }
        ($mz at 0) and all of ($s*) and 2 of ($c*) and 1 of ($code*)


CobaltStrike - beacon.dll : Your No Ordinary MZ Header

Today I found some interesting sample that was flag as cobaltstrike sample in app.any.run (links are below). The execution of this file is q...