Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.24384

Added to the Dr.Web virus database: 2018-01-27

Virus description added:

Version 1.0

SHA1: b185665ded0fab4bb2588ec80f71333533d8e140

Version 1.1

SHA1: 2245bd90b753b7fd29b7218a0ef50435c64f8767

An encryption Trojan for the Microsoft Windows operating systems. Its self-designation is “GandCrab!”. A message with racketeers’ demands and a list of extensions of encoded files are stored in the Trojan’s body encrypted with the use of the XOR algorithm.

The malicious program can collect information on availability of the following running processes of anti-viruses:

AVP.EXE
ekrn.exe
avgnt.exe
ashDisp.exe
NortonAntiBot.exe
Mcshield.exe
avengine.exe
cmdagent.exe
smc.exe
persfw.exe
pccpfw.exe
fsguiexe.exe
cfp.exe
msmpeng.exe

In order to prevent the repeated launch, the Trojan obtains a name of a work group in the local network, serial number of the hard drive volume and the processor model name. On the basis of these data, it forms a mutex name. If there is already a mutex with the same name, the Trojan shuts down. Then it kills the following processes:

sqlservr.exe
msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
mydesktopqos.exe
agntsvc.exeisqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exeagntsvc.exe
agntsvc.exeencsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
excel.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
outlook.exe
powerpnt.exe
steam.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe

After the processes are shut down, the Trojan forms a message with cybercriminals’ demands and generates the RSA-2048 key pair. Then it sends a call request to its command and control server, zeroes a private key in the memory and starts the process of its installation to the system.

If the Trojan is not launched from the folder %APPDATA%, it creates its own copy with an arbitrary name in the folder %APPDATA%\Microsoft\. Path to this file is saved in the thread of the system registry [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] with an arbitrary name of the parameter.

The Trojan encrypts the contents of the fixed, removable and network disks. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends to the server the data on the amount of encrypted files and the encryption time. The following folders are not encrypted:

ProgramData
Program Files
Tor Browser
Ransomware
All Users
Local Settings
%PROGRAM_FILESX86%
%PROGRAM_FILES_COMMON%
%WINDOWS%
%LOCAL_APPDATA%

The data required for encryption are generated for each file, then they are encrypted with the public RSA key. The encrypted files have the GDCB extension.

The Trojan uses the command and control server, the domain name of which is not resolved with standard methods. To obtain an IP address of the command and control server, the encoder executes the command nslookup and obtains the address from its output. If an attempt to obtain the IP address is unsuccessful, the encryption is not performed.

To send the call request to the command and control server, the Trojan forms a string that looks the following way:


action=call&ip=123.123.123.123&pc_user=root&pc_name=PC&pc_group=WORKGROUP&pc_keyb=0&os_major=Microsoft
Windows
XP&os_bit=x86&ransom_id=1111111111111111&hdd=C:FIXED_...&pub_key=...&priv_key=...&version=1.0 

where:

  • action — the request type;
  • ip — an external address of an infected computer (if the Trojan is unsuccessful when obtaining it, the field stays blank);
  • pc_user — user name;
  • pc_name — computer name;
  • pc_group — work group name;
  • pc_keyb — keyboard layout code;
  • os_major — Windows version (it is extracted from the key of the system registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName);
  • os_bit — Windows bitness;
  • ransom_id — infection identifier;
  • hdd — information about disks;
  • pub_key — a public key encoded in base64;
  • priv_key — a private key encoded in base64;
  • version — the internal Trojan version.

The obtained string is encrypted using the RC4 algorithm. Then the result is additionally encoded using base64. The obtained data are sent to the command and control server with the POST request, which looks like %IP_ADDR%/curl.php?token=1234 (the value token is extracted from the packed Trojan’s body). As a response, the malicious program receives the data encoded with the use of base64 and encrypted with the same RC4 key. They could contain a command for self-removal and a list of extensions for encryption (also encoded using base64).

At present, decryption of files encrypted with this Trojan is impossible.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040