File name: | GandCrab 5.0.3 downloader.js |
Full analysis: | https://app.any.run/tasks/e39a3493-8474-4540-ad51-7ce71a933caa |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | May 24, 2019, 13:03:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 595A31A4913951D3EB7211618AE75DEA |
SHA1: | 16DBFE657AC36A8D84AF411F13EBFF1CCC5E56AD |
SHA256: | BE6A4997FDF6EA0D74A973AE0A361EBCC4CBBC74A5801E75A76BB52A2B424E34 |
SSDEEP: | 12288:lNelh1RLsMUu8HRCTEr45VYYtkG8eAVIsNOd:lNelh1RLsMUu8HRCR3UeAVIsNs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2716 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\GandCrab 5.0.3 downloader.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2844 | "C:\Users\admin\dsoyaltj.exe" | C:\Users\admin\dsoyaltj.exe | — | WScript.exe |
User: admin Company: www.sopcast.com Integrity Level: MEDIUM Description: SopCast Main Application Exit code: 0 Version: 4.2.0.800 | ||||
3612 | "C:\Windows\System32\wermgr.exe" | C:\Windows\System32\wermgr.exe | dsoyaltj.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2108 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | wermgr.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | dsoyaltj.exe | C:\Users\admin\AppData\Local\Temp\Liebert.bmp | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl | — | |
MD5:— | SHA256:— | |||
3612 | wermgr.exe | C:\Users\admin\.oracle_jre_usage\QARXII-DECRYPT.txt | text | |
MD5:34169F8BC44BA939E7FFB33AC71CD1FE | SHA256:89A3BB0CF25D04B8C9A2526889ECA9EEE25F9B9F2A22FC742E938F39AF019A52 | |||
3612 | wermgr.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\QARXII-DECRYPT.txt | text | |
MD5:34169F8BC44BA939E7FFB33AC71CD1FE | SHA256:89A3BB0CF25D04B8C9A2526889ECA9EEE25F9B9F2A22FC742E938F39AF019A52 | |||
3612 | wermgr.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\QARXII-DECRYPT.txt | text | |
MD5:34169F8BC44BA939E7FFB33AC71CD1FE | SHA256:89A3BB0CF25D04B8C9A2526889ECA9EEE25F9B9F2A22FC742E938F39AF019A52 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3612 | wermgr.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.1 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3612 | wermgr.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3612 | wermgr.exe | 136.243.13.215:443 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
3612 | wermgr.exe | 74.220.199.8:443 | www.bizziniinfissi.com | Unified Layer | US | malicious |
3612 | wermgr.exe | 217.26.53.161:443 | www.haargenau.biz | Hostpoint AG | CH | malicious |
3612 | wermgr.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3612 | wermgr.exe | 185.52.2.154:443 | www.fliptray.biz | RouteLabel V.O.F. | NL | suspicious |
3612 | wermgr.exe | 192.185.159.253:443 | www.pizcam.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3612 | wermgr.exe | Potential Corporate Privacy Violation | ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit) |