This document is a dissertation analyzing the GandCrab ransomware through network traffic using Wireshark. It outlines the objectives to assess and analyze a ransomware sample in network traffic and the network behavior once ransomware enters a system. The research methodology section describes setting up a test bed environment with 4 systems to execute and monitor the ransomware's network activities by capturing PCAP files with Wireshark for analysis. Key features of the GandCrab PCAP file are then extracted for further research on GandCrab, which spread widely in 2018 as a ransomware-as-a-service.

1. DISSERTATION ON:
NETWORK BASED GAND-CRAB
RANSOMWARE DETECTION THROUGH
WIRESHARK TRAFFIC
ANALYSIS
NAME: TARUN PODURALLA
PNUMBER:P2548817
DE MONTFORT UNIVERSITY

2. Contents
1. Objectives of Research
2. Introduction
3. Literature Review
4. Research Methodology
5. Result Analysis
6. Conclusion
7. References

3. 1.Objectives of Research
The Assessment of Ransomware.
Critical Analysis of the sample in network traffic.
Network behavior once the Ransomware enters .

4. 1.Introduction
What is Ransomware:
Abstract: The Ransomware is one of the malware type which contains a malicious code that
disrupts the normal functionality of IT equipment and demand users to pay money in the form of
ransom to get back normal access before a given time.
Overview: The project deals with the malware and ransomware sample to find its important
characteristics like
•Persistency of malware and ransomware.
•Downloading files or software from remote system.
•Network Poisoning.

5. Introduction
Project Motivation:
•WannaCry attack that affected the NHS and brought down the employee to pen and paper is one
of the motivational elements for studying malware-based project.
•Secondly the recent malware attacks that are being attempted on many systems in the form of
social engineering attack where the document related to cure for COVID-19 contained malware to
hit the target [1] motivated me to go for this malware-based project [1].
Project Objective:
•The main objective of this project is to produce standard project which will explain the behaviour
of the malware.

6. 2.LITERATURE REVIEW
Types of Ransomware: The ransomware encrypt the files and tries to infect the drives on the
network and once the network is infected, the whole section of a company could be brought down
by the attack . The crypto ransomware has been categorised as three types.[1]
1. Symmetrical Cryptosystem Ransomware : This deals with the concept of symmetric key
cryptography, though it could be mitigated by reverse engineering to obtain the secret key but,
the normal process gets distorted for few times.
2. Asymmetrical Cryptosystem Ransomware: These effects the system when the command
and control (c & C) server communicates with the system. The private key is withheld with
the adversary, and hence the reverse engineering fails to get the key. The adversary is left with
no other choice than to pay for ransom.

7. Types of Ransomware:
3. Hybrid Cryptosystem Ransomware: The concept of dynamic generated key is used to
encrypt the target user’s file. In hybrid key concept, the attacker keeps changing the
encryption key. Suppose as the defender is trying to get the encryption key k1, and
meanwhile the backdoor has been created by the attacker, the attacker can use another
key k2 to perform the encryption.
Key: Encryption key
Key = k1 (at one instance)
Key= k2(at another instance)
.
.
Key = Kn
So, its create the value of dynamic key in nature and hence, the defending of malware and
ransomware attack in case of dynamic key is tougher than the static key-based malware or
ransomware.

8. Figure.1 [1] Crypto ransomware network communications(a) Symmetrical encryption, (b) Asymmetrical encryption

9. Categories of Ransomware:
The ransomware has two categories based on the encryption of the target. These are:
1. Locker Ransomware: The aim of these type of ransomware is used to lock the targeted system from
being accessed by the victim.
2. Crypto Ransomware: The aim of these type of malware is to encrypt the data on the target system
instead of locking the system as that of the case of Locker Ransomware.
The ransomware has evolved in demanding the ransom as well. Firstly, they are demanding
ransom in cryptocurrency and moreover in bitcoin.
Secondly, they are using the session concept, where if the ransom is not paid in time, they crash
the entire system which they have hold off.

10. Predictive nature or Taxonomy of
Ransomware and Malware:
The malware and ransomware creator does not reveal the architecture which they follow to
construct them. Moreover, these are also dynamically changing their behaviours.
The penetration techniques, the encryption mechanisms, the backdoor creation, the encryption
and decryption key mechanism, the storage of generated key used for targeting the systems and
any other behaviours and features are changing with the progression of time and technologies.
The taxonomy below is presented to visualise the minimal behaviour that every malware and
ransomware have:

11. Resource is
encrypted,
R1
Resource is
encrypted,
R2
The
Ransomware
is triggered
by Users.
Ransomware starts
penetrating in
targeted System
Resource is
encrypted,
Rn
Ransomware
enters through
emails.
Figure.2 The predictive taxonomy of Ransomware and Malware

12. RANSOMWARE RELATED
BACKGROUND RESEARCH:
Some of the deadliest ransomwares are, Bad Rabbit, Ryuk, Troldesh, Locky and many others.
1. Bad Rabbit: This ransomware was first seen in the year 2017 and it used a method called
“drive-by” which is a flavour of Petya and WannaCry Malware.
•This Ransomware mainly attacks through vulnerable websites through fake Adobe Flash
Updates[ ] by manipulating users to click on fake advertisements to update Flash Player.
2. RYUK: Ryuk was first discovered in August 2018 but based on older Ransomware called
Hermes which was sold on underground cyber forums in 2017. [ ] It initiates through either
Remote Desktop Protocol (RDP) or phishing emails.
•This ransomware spreads through macros in word .doc

13. RANSOMWARE RELATED
BACKGROUND RESEARCH:
3. Troldesh: The Troldesh ransomware is also known as Shade. Which often uses a PHP file
as a transfer tool for loading the host.
Malware Dropper (It is a trojan that is designed to install some sort of malware program).
hxxp://doolaekhun[.]com/cgi-bin/[redacted].php
•This kind of affected URL is made spread via malicious emails or using services like social media
and it started spreading through email using infected attachments and links.
•Once we click affected Jscript URL’S as shown above it loads a Jscript file to the victim’s
system. This infected file is Malware Dropper which loads jsp file into victim’s pc then it begins
the process of preparing the download of executable ransomware file.

14. RANSOMWARE RELATED
BACKGROUND RESEARCH:
Locky: The Locky Crypto ransomware was first discovered in the year 2015 [ ].
The ransomware used to enter the victim’s system using the spam emails and then it sends the
attachment in the form of PDF. This in attached PDF is embedded with .DOCM files.
The most significant nature of this ransomware is to check the target hosts. It contains a flag
which checks if the targeted system contains Russian Operating System Language or not. If its
Russian, it does not exploit the or encrypts the system [ ].
The most common symptoms that Locky has infected the system is by sighting the network
speed and system’s speed.
The Locky Ransomware takes advantage of the macro that is usually used to open and doc file.
In Windows based operating system, these options are by default enabled and thus helps the
ransomware to enter the targeted system easily [ ].

15. 4. Research Methodology
SETTING UPA GAND-CRAB RANSOMWARE NETWORK TRAFFIC ANALYSIS TEST BED
ENVIRONMENT
Figure.(3) [1] Ransomware Test Bed Environment.

16. Ransomware Testbed Environment:
 Dynamic analysis of ransomware needs secure surroundings to execute and monitor the ransomware’s
network activities.
 we have designed a testbed that consists of 2 real computers and 2 virtual machines as represented in Fig.
()
 The aim of this testbed is to execute samples of ransomware and capture their network traffic. These PCAP
files area unit then analysed to extract a collection of network options that describe the communication
behaviour between the ransomware and its C&C server (i.e., attacker)
 The small print of the testbed’s elements area unit summarized below:
PC1 is used as a victim’s system, where the ransomware is injected.
 PC 2 is used as a main Firewall machine which is used to monitor watch and record network
traffic in .pcap files using Wireshark for future analysis.

17. Ransomware Testbed Environment:
 PC 3 is used as an attacker C&C server.
 This is an Asymmetrical Cryptosystem Ransomware attack.
 To analyse this network traffic we use WIRESHARK as a Network Traffic Analyser Tool
(NAT).[6]
 But to analyse a Ransomware network traffic a packet capture file in extension. PCAP should
be obtained from source. Here we are obtaining Ransomware traffic named GandCrab from
• Malware-traffic-analysis.net [8].
• https://www.malware-traffic-analysis.net/2018/11/02/index.html.

18. GAND-CRAB PCAP FEATURES
EXTRACTION:
NO. MCFP ID File Type SIze(MB) Hash Value
1. GANDCRAB RANSOMWARE INFECTION (VERSION 5.0.4) GANDCRAB
RANSOMWA-RE
1.3MB 7bcdc878a5570936b46eba26551bf2cd084e4d8439c7ccc28
51f4d4ca235215c
Table 1. MCFP collected and PCAP file.

19. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
GandCrab ransomware was discovered near the end of January 2018 as a part of Ransomware-as-a-
Service (RaaS) and soon became the most popular and widespread ransomware of the year.[7]
GandCrab spread through multiple sources via spam mails and exploit kits. Grandsoft and RIG are
mostly used tools for spreading Gandcrab with high volume of malicious spam mails.
Grandsoft and RIG are an exploit kit which is designed to attack systems silently by utilizing the
vulnerabilities present on victim’s machine while accessing the web. There are three stages in this
Landing page, Exploit, Payload.
Landing Page: It starts with a click on compromised websites by delicately landing into another
webpage after landing into malicious web page the exploit part takes place softly.
Exploit: It uses a vulnerable application in background to run malware on victim’s machine secretly.
Some of the targeted applications include Adobe Flash Player, Java Runtime Environment whose
exploit is a file and web browser, which sends harmful code from with suspicious web traffic. If
Successful next step is payload delivery.

20. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
Payload: If Exploit becomes successful it sends a payload to infect victim’s system (host). The
payload is a file downloader that retrieves different malware or the meant malware itself.
With a lot of exploit kits, the payload is distributed as encrypted binary code over the network,
which then once on the victim’s machine host, the binary code gets executed and encryption
begins.
 GandCrab is a type of ransomware which mostly attacks through emails.[7]
• These emails which contains ZIP archives when opened it has scripts to download GandCrab
ransomware and execute it, when these files are executed, it decodes the url where GandCrab is
hosted then download of malware to the files on disk begins.

21. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
It was a first ransomware is to use DASH currency as a ransom payment. Most file encrypting
ransomware families have solely used Bitcoin as the ransom payment methodology. Lately, some
ransomware infections are moving to Monero and even Ethereum.
 DASH currency is designed around privacy and therefore it has become difficult for
enforcements to trace the house owners of the coins.
Figure. (4) [7] DASH Currency as Payment.

22. Figure. (5) [7] GandCrab Ransomware Logo.

23. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
 How GandCrab encrypts a computer:
• When GandCrab first launched it tries to connect ransomware’s C&C which is Command and Control server
created by ransomware creator. This server is organised in the name Namecoin’s. bit domains [7],it has to instruct a
server name that supports TLD.
• It is done by searching for addresses of following domains using nslookup [insert domain] a.dnspod.com. This
command searches for a.dnspod.com names server, which support the. bit TLD, for one of the domains below.[7]
bleepingcomputer.bit
nomoreransom.bit
esetnod32.bit
emsisoft.bit
gandcrab.bit

24. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
If the victim's machine is unable to attach to the C3 server, then the ransomware will not write code to the
pc. It will, though, continue running within the background trying to get the ip address for C3 and connect to
it.
Once it's able to resolve the domain connection, it'll connect with the C3 IP address. It is not proverbial
now what knowledge is being sent and retrieved, however the C3 is presumably sending the general public
key that can encrypt the files.
 During this method, the ransomware connects to ip address below to determine the public IP
address of the victim http://ipv4bot.whatismyipaddress.com/ .[7]
Before GandCrab encrypts the victim's files it will 1st check for sure processes and terminate them. This
may shut any file handles that are open by these processes in order that they will be properly encrypted.

25. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
According to researcher Vitali Kremez, the list of processes that are terminated are:
Figure. (6) [7 ]The list of Terminated Processes.

26. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
 GandCrab will now begin to encrypt the victim's files and will target only certain file extensions.
According to Researcher Pepper Potts [].
While encrypting files, Kremez's analysis showed that GandCrab will skip any files whose full pathname
contain following strings:
 ProgramData, Program Files, Tor Browser, Ransomware, All Users, Local Settings,
desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log,
thumbs.db, GDCB-DECRYPT.txt, .sql

27. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
After Encrypting files, the ransomware will add .GDBC extension to encrypted file’s name. For example
t.jpg would be encrypted and renamed as t.jpg.GDBC.
Figure. 7 [7] Encrypted GDBC files.

28. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
At some point, the ransomware relaunches itself using the command
"C:Windowssystem32wbemwmic.exe" process call create "cmd /c start
%Temp%[launched_file_name].exe". If a user does not respond Yes to the below prompt, it
will continuously display the UAC prompt.
Figure.8 [7] UAC Prompt.

29. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
When Ransomware finished encrypting the system, victim receives the Ransom note located on
the desktop screen. This ransom note will be in GDBC-DECRYPT.txt format and contains
attack information of the victim’s files and secure TOR website gateways will be listed to open
payment site.
Figure. (9) [7] GandCrab
GDBC-DECRYPT.txt Ransom
Note

30. GANDCRAB RANSOMEWARE
ATTACK RESEARCH:
When access the listed website, a website named GandCrab Decryptor will appear. This website
shows ransom note information, a DASH link to make payment and few other options as below.
Figure.10 [7] GandCrab Decryptor.

31. 5.Result Analysis
GandCrab Most Effective Variant
T.exe and VNC.exe were executed
Identified from HTTP GET Requests
Traffic Statistics Analyzed

32. 5.Result Analysis
S no. File name File type Size in
bytes
SHA-256 (Hash Value)
#1 2018-11-02-t.exe-
from-
92.63.197.48.exe
Ransomware 142,33
6 bytes
098aad386b0f549cefddf2001dba9f31f40d88a3618cd3a8d5589b4b0b467342
#2 2018-11-02-vnc.exe-
from-
92.63.197.48.exe
Ransomware 159,74
4 bytes
796a87b9905c52ff7d1da91f2ff980b5dfdb9437a09624ccb4e6d8fe470ea666
#3 2018-11-02-
GandCrab-
ransomware-
infection. pcap
Wireshark 2,214,5
79
bytes
7bcdc878a5570936b46eba26551bf2cd084e4d8439c7ccc2851f4d4ca235215c
Files and their Hash Values :
Table. 2 Files and their Hash Values.

33. Traffic Statistics
Serial No. Protocols Total Packets &
Percentage (%)
#1 DNS Protocol 279 (6%)
#2 HTTP Protocol 2148 (45%)
#3 HTTPS Protocol 2279 (48%)
#4 SMB Protocol 36.1%)
Table. 3 Traffic Statistics.

34. Top Traffic Sources
50%
17%
15%
9% 8%
0%
10%
20%
30%
40%
50%
60%
92.63.197.48 172.16.8.1 172.16.8.8 205.185.21.10 194.246.11.10
IP Addresses
IP Addresses
Figure. 11 Top Traffic Sources.

35. Ransomware File Analysis
Figure. 12 [5] Analysis on vnc.exe file
Figure. 13 [5] Analysis on t.exe file

36. Different Antivirus Ratings
Figure. (15) [5] Different Antivirus Ratings.(t.exe)
Figure. (14) [5] Different Antivirus Ratings.(vnc.exe)

37. Falcon Sandbox Reports
Figure. (16) [5] Second malicious capture
(vnc.exe)
Figure. (17 ) [5] Second malicious capture (t.exe)

38. Analysis on HTTP Headers
Figure. (18 ) Malicious vnc.exe HTTP Traffic. Figure. (19) Malicious t.exe HTTP Traffic.

39. Ransomware Execution
Isolated Machine Display when tested with Gand-crab Ransomware artifacts.
Figure. (20) Isolated machine display screen.

40. Information Associated with
Ransomware Attack
 The following information has been gathered from the Wireshark .PCAP file analysis.
•IP address of the LAN segment is 172.16.8.0 /24 (172.16.8.0 thru 172.16.8.255)
•Gateway IP address is 172.16.8.1
•IP address of the domain controller is 172.16.8.8 -GONEAWRY-DC
•Even though domain address goneawry.net
•Infection is caused to Windows host with IP address 172.16.8.195.

41. PCAPAnalysis
Figure. (21) (http. Request or ssl. handshake.type ==1)’
which gets filtered GET request Packets.
Figure. (22) (‘tcp.stream eq49’) which gets all GET
request where vnc file execueted.
Vnc.exe :

42. PCAPAnalysis
Figure. (23) HTTP object list
 To obtain in-depth information about packets, HTTP object
list option is selected which shows packet with its number,
hostname and size.
Figure. (24) TCP stream filter
 By applying TCP stream filter, it can all malicious TCP packets are
filtered and displayed on the screen.

43. PCAPAnalysis
Figure. (26) Graph for time sequence numbers which shows flow of network
traffic from X axis and Y axis.
Figure. (25) GET request where t.exe file executed.
 HTTP stream for file named as ‘t.exe’ is also opened and required
information is analysed from GET request.

44. PCAPAnalysis
Figure. (27) Round trip time graph which for IP addresses 92.63.197.48 and 172.16.8.195 for port
numbers 80 and 49206, respectively.

45. PCAPAnalysis
Figure. (28) Ransomware Malicious activities Time Stamp.
 The first file shows alert message and senders IP Address is 172.16.8.195. Even for second alert
message, IP address is same for destination which means the same user executed attack on the victim. In
the given screenshot, IP address of victim is ’92.63.197.48’.

46. PCAP file analysis using online PCAP
analyser tool
Figure. (29)First Time Stamp Figure. (30) Second Time Stamp

47. 6. Conclusion
 In summation, it has been identified that with the advancements in technology, many variants of
malware could be seen which can affect internet globally.
 This ransomware analysis shows us how it impacted users globally. This type of malware
comes under ransomware family where all files were encrypted using arbitrary extension and can
only be decoded using a private key.
 Under the traffic statistics section, victim’s IP address along with port number and all IP
addresses and port numbers are identified where it was identified that using vnc and t files with
exe extension, ransomware attack was executed.
It was identified that due to insecure protocols, this attack was executed.

48. 7. References
1. Ahmad O. Almashhadani ; Mustafa Kaiiali ; Sakir Sezer ; Philip O’Kane , “A Multi-Classifier Network-
Based Crypto Ransomware Detection System: A Case Study of Locky Ransomware”. IEEE 2019.
2. Trend Micro, Developing Story: COVID-19 Used in Malicious
Campaign.https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-
threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
3. Google: Here's how phishing and malware attacks are evolving. Accessed on: 12 June 2020,
https://www.zdnet.com/article/google-heres-how-phishing-and-malware-attacks-are-evolving/
4. Malwarebytes, https://www.malwarebytes.com/ransomware/. Acessed On: 31 Oct 2020.
5. https://hybrid-
analysis.com/sample/796a87b9905c52ff7d1da91f2ff980b5dfdb9437a09624ccb4e6d8fe470ea666/5c452
db57ca3e10b8232a283
6. R. Shimonski, "Installing Wireshark", The Wireshark Field Guide, pp. 17-31, 2013. Available:
10.1016/b978-0-12-410413-6.00002-4

49. 7. References
6. M. M. Ahmadian, H. R. Shahriari and S. M. Ghaffarian, "Connection-monitor & connection-breaker: A
novel approach for prevention and detection of high survivable ransomwares",Proc. 12th Int. Iranian Soc.
Cryptol. Conf. Inf. Secur. Cryptol. (ISCISC), pp. 79-84, Sep. 2015
7. https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-
appends-gdcb-extension/
8. "Malware-Traffic-Analysis.net - 2018-11-02 - GandCrab ransomware infection (version 5.0.4)", Malware-
traffic-analysis.net, 2021. [Online]. Available: https://www.malware-traffic-
analysis.net/2018/11/02/index.html. [Accessed: 25- Jun- 2021].