2014-10-01 - CRYPTOWALL 2.0 RANSOMWARE INFECTION FROM FAKE IRS EMAIL

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-01-CryptoWall-2.0-ransomware-infection-on-a-VM.pcap.zip
• 2014-10-01-CryptoWall-2.0-ransomware-infection-from-sandbox-analysis.pcap.zip
• 2014-10-01-CryptoWall-2.0-ransomware-sample.zip

 

NOTES:

• 564 kB of encrypted data was downloaded by the malware.  That might be the actual CryptoWall ransomware, but I couldn't find any dropped files related to that on the infected VM.
• The BitCoin address for the ransom payment is:  1GBwm6vBKWdVMbwduMBsdAvURShqQfh1Ew
• I can't remember any previous CryptoWall ransomware example calling itself "CryptoWall 2.0" as seen in today's VM infection:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT:

Received: from static.vdc.vn (static.vdc[.]vn [113.161.198[.]196] (may be forged))

From: IRS Complaint <complaint-copy@irs[.]gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Complaint

We received a complaint from you. is it true? (I sent copy of it in attachment)

Received: from HZYZBRWYXN ([114.203.105[.]188])

From: IRS Complaint <complaint-copy@irs[.]gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Copy of the complaint

There are details of the complaint in attachment.

Received: from ([81.137.205[.]62])

From: IRS Complaint <complaint-copy@irs[.]gov>
Date: Wednesday, October 1, 2014 at 13:28 UTC
To:
Subject: Complaint to the IRS

Hi, I am received a complaint. you wrote it? (See attachment)

Received: from QHYCGGETN ([72.54.201[.]18])

From: IRS Complaint <complaint-copy@irs[.]gov>
Date: Wednesday, October 1, 2014 at 14:31 UTC
To:
Subject: Complaint to the IRS

We received a complaint from you. is it true? (I sent copy of it in attachment)

Received: from rrcs-67-78-159-70.se.biz.rr[.]com (67.78.159[.]70)

From: IRS Complaint <complaint-copy@irs[.]gov>
Date: Wednesday, October 1, 2014 at 15:57 UTC
To:
Subject: Copy of the complaint

Hi, I am received a complaint. you wrote it? (See attachment)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  Complaint_IRS_id-12839182.zip
File size:  199,121 bytes
MD5 hash:  ea4df0aa8ed7ac496482480da3ac8608
Detection ratio:  22 / 54
First submission:  2014-10-01 12:14:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7293fa4fcba16746926947d6262f9e43cd87cc52a21a0d9a5c5e96d33a4dd2e2/analysis/

 

EXTRACTED MALWARE:

File name:  Complaint_IRS_id-12839182.scr
File size:  278,566 bytes
MD5 hash:  31c2d25d7d0d0a175d4e59d0b3b2ec94
Detection ratio:  17 / 55
First submission:  2014-10-01 12:17:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0454c319093a3c5e4ce84569de9a680aa4028c208f9607880967d43f3b22666/analysis/

 

SCREENSHOTS AND INFO FROM THE TRAFFIC

Sandbox analysis:   2014-10-01 22:09:34 UTC - 65.19.161[.]34 port 80 - eportfolio.ccpullman[.]ca - GET /blog/eo7ycomyy

No event triggered on this line for VRT, ET, or ETPRO signatures (that I could tell)

 

From my infected VM pcap:   2014-10-01 22:07:48 UTC - 42.62.40[.]145 port 80 - www.meihuainfo[.]com - GET /wp-content/themes/mh/3sbgwh

Triggered rule:  ET TROJAN Unknown Locker DL URI Struct Jul 25 2014 (sid:2018787)

 

Decrypt instructions (specifying this is CryptoWall 2.0):

 

After installing a tor browser, I got the captcha for the decrypt service:

 

Which takes us to the ransom payment page:

 

Click here to return to the main page.