Information Technology | Softwares - Graphics - Programming - Hacking - Security

Apr 12, 2020

Malware Analysis and Reverse Engineering | GandCrabv5.2 Ransomware Report

Overview of GandCrab ransomware

1: History and development of GandCrab:
The first generation of GandCrab was first discovered in the world in January 2018. Since then, this malware has been continuously improved by hackers and upgraded over 4 generations with increasing levels of sophistication and complexity.
This is a malicious code that will encrypt all the data in your computer and require a ransom to get the decryption key.

2: Spreading Mechanism:
GandCrab spreads by sending the victim a fake email, which urges the victim to open the text file attached to the email. In fact, this attachment contains a virus, if the victim opens the file, the computer will be infected.

3: How to identify the version:

Overview of GandCrab version 5.2

1: Introduce:
The GandCrab Version 5.2 ransomware targets all versions of Windows including Windows 7, Windows 8.1 and Windows 10. This infection is notable due to how it encrypts the user’s files – namely, it uses Salsa20 encryption method – in order to ensure that the affected user has no choice but to purchase the private key.
Ransom required: 1200$ by Bitcoin or DASH.
Probably the biggest change in GANDCRAB so far is that the ransomware virus does not add a random file extension, but renames the whole encrypted file to A-Z, a-z, 0-9 randomly generated name. And what is even worse is that each file is renamed differently with different file name length.

Once the GANDCRAB 5.2 ransomware virus causes an infection on the computers, compromised by it, the virus immediately spaws the randomly named executable file

2: Computer infected:

The ransom note file has the following message to victims, asking them to visit a TOR-based web page

The sample containing the malware used
Name: GandCrab52.exe
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Size: 101376 KB
MD5: 78efe80384fa759964c9ea8bada3ac8d.

Behavioral analysis using tool Cuckoo Sandbox

1: Prepare Tools:
-         Cuckoo Sandbox version 2.0.7 (Time out 3 minutes)
-         Virtual Box run Windows 10 (Turn off Windows Defender).
2: Target after analysis:
-         Understand the activities on the system

-         Retrieve activity logs
-         Make predictions about malware functions
3: Analysis process:
3.1: First analysis:

Result: Malware not alive and has terminated after being launched in the sandbox.
Guess: GandCrab 5.2 has the ability to detect the virtual machine environment to not run the next functions.

3.2: Second Analysis: 
(Screenshots are reported from Cuckoo)

(Image of encrypted files and GandCrab sent a txt file to notify ransom)

Result from from the collected images:
-         Encrypted files cannot be opened with the file extension is “.hifboohk”
-         Each folder has a txt file with information how to retrieve the data
-         Within 3 minutes, all files containing data were encrypted, except files on the Desktop.
-         Within 3 minutes, wallpaper has not been changed.

3.3: Result of classifying malware from Cuckoo:

          Score: 0  Cuckoo could not detect that GandCrab was malicious.

4: Results after analysis:
After analyzing the image reports and activity logs, the results are as follows:
-         GandCrab undetected by Cuckoo sandbox
-         GandCrab need to use the internet to connect to the server before performing encryption behavior
-         GandCarb will encrypt data files in the victim's computer.
-         GandCrab will leave notice of how to transfer money to retrieve data in all folders which encrypted data.
GandCrab can detect virtual machine environment to avoid being analyzed
GandCrab have time delay before change wallpaper and encrypt data in Desktop.


Prepare Tools
FakeNet (windows network simulation)
Netcat (writing to network connections using TCP or UDP)
ApateDNS (controlling DNS responses)
Wireshark (read file .pcap)
Process Monior + Process Explorer (display process malware )

Analysis process:
4.1: First analysis:
-         Malware connected to domain
-         Analysis domain
o   IP Address:
o   Location: Netherlands
o   Reputation Status: has blacklisted url

4.2: Second Analysis:

Malware connected to domain too

Estimate runtime from virus started until all file in Desktop is encrypted:
4 minutes

Process of GandCrap:
  • - Command Execute: “C:\Users\Nguyen Ngoc\Desktop\GandCrab5.2.exe”
  • - Monitor Duration: 4 minutes
  • Command Execute :“C:\Windows\system32\wbem\wmic.exe” shadowcopy delete
  • Monitor Duration: 3 seconds

File paths encrypted:

Private stored in: 
  • Path: Computer\HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\WOW6432Node\keys_data\data
  • Binary type
(keys stored in regedit) 
  • Ascii text:
(Keys  encrypted)

Registry detect virtual machine:
Path : “HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier”
(Registry records when GandCrab running)

Compare file before GandCrab and after GandCrab:

Text file

Zip file

Under the hood

Code behavior analysis:
Exif information

IAT address at 013000 with size 0001d8, time-stamp: Feb 16, 2019


ADVAPI32 - The Windows API, informally WinAPI, is Microsoft’s core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems.

We can see functions called to related to Windows registry, services, applications and user accounts.

Functions called in Kernel.dll:
This is a very common DLL and has an important core function, allowing access to manipulate memory, files, and hardware systems. There are many important functions that Gandcrab called.

We can see that Ntdll is imported, Executing tasks usually do not directly add this file at run time, but it is always indirectly added via Kernel32.dll file. If an executable process adds this file, it means that the author intends to use the hidden function for Windows programs. Some tasks, such as hiding functions or operating processes, will use this interactive interface.

The user-mode hooking technique commonly targets the Native APIs provided by ntdll.dll. It is because most malware uses resources related to process, memory, or file input. In doing so, most APIs must call the system call via ntdll.dll.

Gandcrab use technique to detect sandbox.

The Rpcrt4.dll file is a file associated with the Remote Procedure Call program, and is used by a number of Windows applications for network and Internet connections, which allow computers and devices to communicate between one another in order to keep your computer in perfect working order. Because this file is a dynamic link library file, this means that it has a specific function that it must carry out in order to keep your system working.
WSock32.dll and Ws2_32.dll
These are network DLLs. Gandcrab can be accessed by using the most common connection types to the network or performing network-related tasks.
Wininet.dll containing more advanced network functions such as implementing protocols such as FTP, HTTP, and NTP.

The function InternetOpenW is called in 407EE2 to open proxy, fake dns localhost and connect with server.
In 40E3F8, GandCrab uses GlobalAlloc to allocate memory. And Call the Writefile function to overwrite files, it encrypts all collected information with XOR and sends it to the Command-and-Control server.

Gandcrab uses named pipes to communicate but also it uses this unique id that was referenced above.  The following screenshot shows the routine in which it is created.

So we can see here that it uses the CreateNamedPipeA in 410CF8 command to setup the named pipe that it subsequently reads/writes from.

End of the function, Call 40D9B4 to call VirtualFree function with dwFreeType parameter is MEM_RELEASE (zero). The function frees the entire region that is reserved in the initial allocation call to VirtualAlloc.

AhnLab, a leader in cyber threat analysis, fought against GandCrab ransomware to mitigate attacks and effectively respond to the constantly changing attack methods. GandCrab ransomware shares an extraordinary history with AhnLab. Just like any other ransomware, GandCrab searches for any running or pre-installed anti-malware program before interfering with its normal execution and shutting it down. However, GandGrab was found making an extra effort. GandCrab directly targeted ‘AhnLab’ and its anti-malware program, ‘V3 Lite,’ by mentioning it in its code. GandCrab even revealed the vulnerability of AhnLab V3 and made attempts to delete the program
GandCrab’s creator continued to insult AhnLab by adding an insulting text towards AhnLab in GandCrab v5.2. GandCrab v5.2 incorporated a time-delay technique to disturb the dynamic analysis. GandCrab v5.2 included “AnaLab_sucks” text string within the Window procedure class name that enables the SetTimer function. ‘AnaLab’ can be assumed as a typo for AhnLab. Nonetheless, the creator of GandCrab consistently mentioned ‘V3 Lite’ and ‘AhnLab’ directly within their distributed strings.

The ransomware generates private and public keys using Microsoft Cryptographic Provider and the following APIs:
When the encryption is over, GandCrab opens a <randomType>-DECRYPT.txt file that is the ransom note. These are just some functions that we analyzed, part 2 may coming soon.

The encryption of GANDCRAB 5.2 ransomware is done via Salsa20 encryption algorithm. This cipher aims to replace data from the files on the infected computer with blocks of encrypted data. The virus does not encrypt the whole file, but rather only portions of it, enough to make it seem corrupt and unstable. And what is worse, GANDCRAB 5.2 ransomware uses CBC mode for its file encryption procedures. This mode looks like the image we posted below and it basically breaks your files if you try to change their extension or tamper with them:

Restore Files – Decrypt Salsa20

This repository contains Python3 scripts that can decrypt files encrypted with the Gandcrab 5.2 ransomware:

Decryption happens in two steps. The first one recover the "user" private RSA key that has been encrypted thanks to the so-called master key (originally only owned by the ransomware authors). The second one uses this recovered RSA private key to decrypt the files.
It uses the RSA private master key released by FBI/Europol on 2019/07/15 

Thanks, NgocNB, DuongDT and DatDQ

About Us