2014-11-14 - PHISHING EMAIL CAUSES CRYPTOWALL 2.0 INFECTION

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Administrator <Administrator@tomokuhus.se>
Date: Thursday, November 13, 2014 at 23:00 UTC
To:
Subject: Internal ONLY

**********Important - Internal ONLY**********

File Validity: 09/10/2014
Company : http://tomokuhus.se
File Format: Adobe Reader
Legal Copyright: Adobe Corporation.
Original Filename: Internal.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s). This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from your system and destroy all copies of it.

Attachment: internal_04531572.zip (286.4 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  internal_04531572.zip
File size:  212.0 KB ( 217133 bytes )
MD5 hash:  57ad85363a21c1206701aa7f40717fb6
Detection ratio:  35 / 55
First submission:  2014-11-13 21:12:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/23c5dafd2d07e30a038a9c99e89aa25c417e48315947593e5e1661420084f801/analysis/

 

EXTRACTED MALWARE:

File name:  internal_04531572.scr
File size:  244.0 KB ( 249856 bytes )
MD5 hash:  796fdae3b1476ed20cdac74ca9d40973
Detection ratio:  36 / 55
First submission:  2014-11-13 21:13:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b/analysis/
Malwr link:  https://malwr.com/analysis/NjI2NDAwYmZlNzk1NDJhZTk4ZmNkMDJjNTE0OGMzZTE/

 

TRAFFIC FROM AN INFECTED VM

RUNNING THE MALWARE:

 

AFTER THE TOR TRAFFIC STARTS, THE INFECTED COMPUTER CHECKS ITS IP ADDRESS:

 

GOING TO A WEB PAGE FOR THE DECRYPT INSTRUCTIONS:

 

POSTING THE CAPTCHA CODE TO GET AT THE DECRYPT SERVICE PAGE:

 

SOME ENCRYPTED TOR TRAFFIC FROM THE INFECTED VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor rules):

 

SCREENSHOTS FROM THE TRAFFIC

Decrypt instructions:

 

Captcha screen:

 

Final page for the decrpyt service:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.