[2018-04-10] Unknown->RigEK->GandCrab

April 10, 2018

Overview

Saz file is 2018-04-10_00-40-59.saz

(↓Analysis result using EKFiddle)

Malware

GandCrab

7efa4fb06abe1a9c9cde116142af387b514c16d71b98b27fa3bd3b6271851b60
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[RigEK][Landing Page]
http[:]//185.154.53.185/?NTMzMzYx&pLggKQ&fdx3s=xXrQMvWfbRXQDp3EKv_cT6NBMVHRHkCL2Y2dmrHTefjaeFWkzrLFTF_xozKATgSG6_FtdfJ&zndFAz=cmVzb3J0&mWPeDeLpxVTA=bW9uZXk=&t45a3d=SDVfijkbUKQZimoleUFIU86z62kOAyxae05aF_B2INQhB_5uRE7g53Fj8zLAkQPsmg1TH6mI&fQiRFDUf=cmVzb3J0&fCZbreFwPVULP=c2hha2U=&KrxIjbIachiZsvy=Zmx5&SafnvsrebZxzq=cmVzb3J0&DZRbyiWlnzlpRp=cmVzb3J0
↓
[RigEK][SWF Payload][CVE-2018-4878]
http[:]//185.154.53.185/?NDg0NTMy&pnUtjn&fdx3s=w3rQMvXcJxzQFYbGMvrDSKNbNk7WHViPxo2G9MildZqqZGX_k7fDfF-qoVncCgWRxfF&SuOYMi=Y2F0cw==&DhSrfFATdV=c2Vh&doikLgsuPKmKms=c2My&MeMhNEoB=c2Vh&JKvGNTlyiXCVf=c2Vh&t45a3d=5LrEEbwfii0KCcwFmmdoJB1gR9_qviUXdzEKYgJSL-hyPZAhM_KKUEbM421jFjLNTJvs&jMQHGQhuxvISgNK=c3BvcnQ=&vyKNrHXdyE=Zmx5
↓
[RigEK][Malware Payload]
http[:]//185.154.53.185/?NDEzMDY4&hWRfEjBuOe&t45a3d=EbUKQZimolcUFIU9Kz62kCAyxad05aF_h2INQtB_5uUE7g52Vj8zLUkecIlzh-L6GhZxe4tDxoR4jo&taDRsQhXOu=Zmx5&YnPMnH=bWF0Y2h1cA==&dPItQsXxhmiCM=cmVzb3J0&smpEXnFVAv=Y2F0cw==&qaJDGPoKuAQWGb=c3BvcnQ=&fdx3s=xXrQMvWebRXQCJ3EKv_cT6NBMVHRHECL2YqdmrHTefjaeFWkzrDFTF_3ozKATgSG6_FtdfJTDVfij&DrrCQKCuCVk=Zmx5&UYrIbhqvYIsv=cmVzb3J0