2015-11-05 GUEST BLOG: MICHAEL FRATELLO - MALSPAM ATTACHMENTS DOWNLOAD NEW CRYPTOWALL VARIANT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

PCAP AND MALWARE:

• 2015-11-05-CryptoWall-4.0-traffic.pcap.zip   132.5 kB (132,461 bytes)
• 2015-11-05-CryptoWall-4.0-malware-and-artifacts.zip   293.5 kB (293,535 bytes)

 

NOTES:

• Information for this blog post was submitted by Michael Fratello, an information security engineer from Wantagh, New York (United States).
• Lawrence Abrams and Nathan Scott from Bleeping Computer worked with Michael on the analysis of this malware, which they are calling CryptoWall 4.0.
• This analysis about CryptoWall 4.0 was posted by Bleeping Computer on Tuesday 2015-11-03 ( link ).

• Editor's note:  After corresponding with Michael about this, I infected a Windows host with the malware, so we could share some traffic and alerts.  Earlier today (2015-11-05), I got Nuclear EK sending CryptoWall 3.0, but I still hadn't run across this newer CryptoWall variant yet.

 

EMAIL EXAMPLES

DATES SEEN:  2015-11-02 and 2015-11-03

 

EXAMPLES OF THE SUBJECT LINES:

• RE:Merlyn brief 4254
• Ardell_brief 2226
• Gwendolyn_Curriculum Vitae 4568

 

EXAMPLES OF THE ATTACHMENTS:

• Paulene_resume_9079.zip
• Ardell_resume_6688.zip
• Myriam_resume_8347.zip

 

EXAMPLES OF THE ATTACHMENTS:

• beigang45518zheng@163[.]com
• mengxiong00539po@163[.]com
• xlashan155lu@163[.]com

 

EXAMPLES OF THE EMAIL TEXT:

    Hi!!! my name is Merlyn Comiso, attach is my resume,
    Please message me back,
    Sincerely
    Merlyn Comiso

    Hi!!! my name is Ardell Wanca. My resume attached.
    I would appreciated your immediate attention to this matter.
    Best regards
    Ardell Wanca

    Hello!! my name is Myriam Crellin, my resume is doc file,
    Awaiting your prompt reply,
    Sincerely
    Myriam Crellin

 

PRELIMINARY MALWARE ANALYSIS

EXAMPLE OF EMAIL ATTACHMENT:

File name:  Ardell_resume_6688.zip
File size:  746 bytes
MD5 hash:  89dde799a520d43daa8e48c5db6f56d1
Detection ratio:  9 / 54
First submission:  2015-11-03 15:12:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/66c18f7d485d9fe7b29233c35f4da94d6a52273d739169d1b804640fd85c1dce/analysis/

 

Shown above:  Extracted .js from the .zip file (image courtesy of Lawrence Abrams' analysis for Bleeping Computer).

 

CRYPTOWALL 4.0 SAMPLE DOWNLOADED BY THE EXTRACTED .JS FILE:

File name:  analitics.exe or 160967782.exe
File size:  312.0 KB ( 319,488 bytes )
MD5 hash:  5384f752e3a2b59fad9d0f143ce0215a
Detection ratio:  33 / 54
First submission:  2015-11-03 14:52:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2/analysis/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2?environmentId=1

 

IMAGES FROM BRAD'S INFECTED WINDOWS HOST

Shown above:  Traffic from the infected host, filtered in Wireshark.

 

Shown above:  ET ruleset signature hits on the traffic.

 

Shown above:  Desktop of the infected Windows host.

 

Shown above:  Checking a URL for the Decrypt instructions.

 

Click here to return to the main page.