With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour. Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab. Keyboard Russian Layout Flag (0=Yes/1=No).After successfully connecting to a URL, this malware sends encrypted (and base64-encoded) victim data, which contains the following infected system and GandCrab information:
0 Comments
Leave a Reply. |