2015-11-04 GUEST BLOG: MICHAEL FRATELLO - MALSPAM ATTACHMENTS DOWNLOAD NEW CRYPTOWALL VARIANT

PCAP AND MALWARE:

 

NOTES:

 

EMAIL EXAMPLES

DATES SEEN:  2015-11-02 and 2015-11-03

 

EXAMPLES OF THE SUBJECT LINES:

 

EXAMPLES OF THE ATTACHMENTS:

 

EXAMPLES OF THE ATTACHMENTS:

 

EXAMPLES OF THE EMAIL TEXT:

    Hi!!! my name is Merlyn Comiso, attach is my resume,
    Please message me back,
    Sincerely
    Merlyn Comiso

    Hi!!! my name is Ardell Wanca. My resume attached.
    I would appreciated your immediate attention to this matter.
    Best regards
    Ardell Wanca

    Hello!! my name is Myriam Crellin, my resume is doc file,
    Awaiting your prompt reply,
    Sincerely
    Myriam Crellin

 

PRELIMINARY MALWARE ANALYSIS

EXAMPLE OF EMAIL ATTACHMENT:

File name:  Ardell_resume_6688.zip
File size:  746 bytes
MD5 hash:  89dde799a520d43daa8e48c5db6f56d1
Detection ratio:  9 / 54
First submission:  2015-11-03 15:12:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/66c18f7d485d9fe7b29233c35f4da94d6a52273d739169d1b804640fd85c1dce/analysis/

 


Shown above:  Extracted .js from the .zip file (image courtesy of Lawrence Abrams' analysis for Bleeping Computer).

 

CRYPTOWALL 4.0 SAMPLE DOWNLOADED BY THE EXTRACTED .JS FILE:

File name:  analitics.exe or 160967782.exe
File size:  312.0 KB ( 319,488 bytes )
MD5 hash:  5384f752e3a2b59fad9d0f143ce0215a
Detection ratio:  33 / 54
First submission:  2015-11-03 14:52:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2/analysis/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/bf352825a70685039401abde5daf1712fd968d6eee233ea72393cbc6faffe5a2?environmentId=1

 

IMAGES FROM BRAD'S INFECTED WINDOWS HOST


Shown above:  Traffic from the infected host, filtered in Wireshark.

 


Shown above:  ET ruleset signature hits on the traffic.

 


Shown above:  Desktop of the infected Windows host.

 


Shown above:  Checking a URL for the Decrypt instructions.

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.