Fig-2. Decrypted JAVA Script
Fig-3. Encoded PowerShell Script
The PowerShell script is decoded by removing ‘?’ and executed.
To execute the PowerShell Script is uses the following command:
jklqtyurkut.ShellExecute(wcnquc, '-ExecutionPolicy Bypass -Command "IEX (([System.IO.File]::ReadAllText(\''+bygeyemm+"bwcuoqir.log"+'\')).Replace(\'?\',\'\'));"', "", "open", 0);
Fig- 4. Decoded powershell script
This decoded PowerShell script decodes another PowerShell script using base64 algorithm and executes new PowerShell script. The new decoded PowerShell script is below:
Fig-5. 2nd PowerShell Script
This second PowerShell script contains a compressed PE file encoded with base64. It decompresses the PE file and loads this file in the memory of powershell.exe. This loaded PE file is a dotnet dll, which contains a base64 encoded another PE file. The dotnet dll the decodes the new PE file and loads in the memory as shown in fig below:
Fig-6. Dotnet Dll containing Base64 encoded PE file
This decoded PE file is a Borland Delphi dll, which contains an encrypted GandCrab payload file. It decrypt the main payload in memory and executes it. Now payload is executing in the memory of powershell.exe and it starts the encryption. There is no PE file dropped on disk and malicious GandCrab payload is loaded and executed inside the memory of powershell.exe.
After encryption, it shows the following message by changing desktop’s wallpaper.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: GandCrab.RSM_10 (Trojan)