Home

Awesome

GandCrab String Decryptor

Ida C script for string decryption.

Tested with GandCrab v 5.1 (DLL) and GandCrab v 5.2 (exe) and 5.3 (exe)

Testing samples SHA265:

How it works

This script will try to identify the string decrypt function, which should be the heavily used function and it should be short. String decryption function takes one argument and extracts from it the key, length of encrypted data and encrypted data itself. Encryption is RC4, as we can see below:

String decryption function

RC4 decryption

Then, this script finds the calls to the string decryption and reconstructs its argument from "mov" instructions which manipulate with the local variables (see picture below). After the extraction of the parameters for RC4 it is possible to decrypt string and perform check if it is ASCII or Unicode string. Finaly, this script makes the comments with decrypted values:

RC4 decryption

RC4 decryption