An encryption Trojan for the Microsoft Windows operating systems. Its self-designation is “GandCrab!”. A message with racketeers’ demands and a list of extensions of encoded files are stored in the Trojan’s body encrypted with the use of the XOR algorithm.
The malicious program can collect information on availability of the following running processes of anti-viruses:
In order to prevent the repeated launch, the Trojan obtains a name of a work group in the local network, serial number of the hard drive volume and the processor model name. On the basis of these data, it forms a mutex name. If there is already a mutex with the same name, the Trojan shuts down. Then it kills the following processes:
After the processes are shut down, the Trojan forms a message with cybercriminals’ demands and generates the RSA-2048 key pair. Then it sends a call request to its command and control server, zeroes a private key in the memory and starts the process of its installation to the system.
If the Trojan is not launched from the folder %APPDATA%, it creates its own copy with an arbitrary name in the folder %APPDATA%\Microsoft\. Path to this file is saved in the thread of the system registry [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] with an arbitrary name of the parameter.
The Trojan encrypts the contents of the fixed, removable and network disks. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends to the server the data on the amount of encrypted files and the encryption time. The following folders are not encrypted:
The data required for encryption are generated for each file, then they are encrypted with the public RSA key. The encrypted files have the GDCB extension.
The Trojan uses the command and control server, the domain name of which is not resolved with standard methods. To obtain an IP address of the command and control server, the encoder executes the command nslookup and obtains the address from its output. If an attempt to obtain the IP address is unsuccessful, the encryption is not performed.
To send the call request to the command and control server, the Trojan forms a string that looks the following way:
- action — the request type;
- ip — an external address of an infected computer (if the Trojan is unsuccessful when obtaining it, the field stays blank);
- pc_user — user name;
- pc_name — computer name;
- pc_group — work group name;
- pc_keyb — keyboard layout code;
- os_major — Windows version (it is extracted from the key of the system registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName);
- os_bit — Windows bitness;
- ransom_id — infection identifier;
- hdd — information about disks;
- pub_key — a public key encoded in base64;
- priv_key — a private key encoded in base64;
- version — the internal Trojan version.
The obtained string is encrypted using the RC4 algorithm. Then the result is additionally encoded using base64. The obtained data are sent to the command and control server with the POST request, which looks like %IP_ADDR%/curl.php?token=1234 (the value token is extracted from the packed Trojan’s body). As a response, the malicious program receives the data encoded with the use of base64 and encrypted with the same RC4 key. They could contain a command for self-removal and a list of extensions for encryption (also encoded using base64).
At present, decryption of files encrypted with this Trojan is impossible.