2014-10-01 - MALWARE FROM FAKE IRS NOTIFICATION CAUSES "CRYPTOWALL 2.0" INFECTION
ASSOCIATED FILES:
- ZIP of PCAP from the VM infection: 2014-10-01-phishing-malware-run-on-a-VM.pcap.zip
- ZIP of PCAP from Malwr.com analysis: 2014-10-01-phishing-malware-analysis-from-malwr.pcap.zip
- ZIP of the malware: 2014-10-01-phishing-malware.zip
NOTES:
- Malwr.com is operational again, so I've included the pcap from the site's analysis of this malware.
- 564K of encrypted data was downloaded by the malware. That might be the actual CryptoWall, but I couldn't find any dropped files related to that on the infected VM.
- The BitCoin address for the ransom payment is: 1GBwm6vBKWdVMbwduMBsdAvURShqQfh1Ew
- I can't remember any previous CryptoWall example calling itself "CryptoWall 2.0" as seen in today's VM infection:
EXAMPLE OF THE EMAILS
SCREENSHOTS:
MESSAGE TEXT:
Received: from static.vdc.vn (static.vdc.vn [113.161.198.196] (may be forged))From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Complaint
We received a complaint from you. is it true? (I sent copy of it in attachment)
Received: from HZYZBRWYXN ([114.203.105.188])From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Copy of the complaint
There are details of the complaint in attachment.
Received: from ([81.137.205.62])
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 13:28 UTC
To:
Subject: Complaint to the IRS
Hi, I am received a complaint. you wrote it? (See attachment)
Received: from QHYCGGETN ([72.54.201.18])
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 14:31 UTC
To:
Subject: Complaint to the IRS
We received a complaint from you. is it true? (I sent copy of it in attachment)
Received: from rrcs-67-78-159-70.se.biz.rr.com (67.78.159.70)From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 15:57 UTC
To:
Subject: Copy of the complaint
Hi, I am received a complaint. you wrote it? (See attachment)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: Complaint_IRS_id-12839182.zip
File size: 194.5 KB ( 199121 bytes )
MD5 hash: ea4df0aa8ed7ac496482480da3ac8608
Detection ratio: 22 / 54
First submission: 2014-10-01 12:14:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/7293fa4fcba16746926947d6262f9e43cd87cc52a21a0d9a5c5e96d33a4dd2e2/analysis/
EXTRACTED MALWARE:
File name: Complaint_IRS_id-12839182.scr
File size: 272.0 KB ( 278566 bytes )
MD5 hash: 31c2d25d7d0d0a175d4e59d0b3b2ec94
Detection ratio: 17 / 55
First submission: 2014-10-01 12:17:50 UTC
VirusTotal link: https://www.virustotal.com/en/file/a0454c319093a3c5e4ce84569de9a680aa4028c208f9607880967d43f3b22666/analysis/
Malwr link: https://malwr.com/analysis/NGNmMDM4NzIwYTE0NGE0NmI4MWQ1ODEyMWNmZGU3MTI/
SCREENSHOTS AND INFO FROM THE TRAFFIC
From Malwr.com pcap: 2014-10-01 22:09:34 UTC - 65.19.161.34 port 80 - eportfolio.ccpullman.ca - GET /blog/eo7ycomyy
No Snort event triggered on this line for VRT, ET, or ETPRO signatures (that I could tell)
From infected VM pcap: 2014-10-01 22:07:48 UTC - 42.62.40.145 port 80 - www.meihuainfo.com - GET /wp-content/themes/mh/3sbgwh
Triggered snort rule: ET TROJAN Unknown Locker DL URI Struct Jul 25 2014 (sid:2018787)
Decrypt instructions (specifying this is CryptoWall 2.0):
After installing a tor browser, I got the captcha for the decrypt service:
Which takes us to the ransom payment page:
FINAL NOTES
Once again, here are the associated files:
- ZIP of PCAP from the VM infection: 2014-10-01-phishing-malware-run-on-a-VM.pcap.zip
- ZIP of PCAP from Malwr.com analysis: 2014-10-01-phishing-malware-analysis-from-malwr.pcap.zip
- ZIP of the malware: 2014-10-01-phishing-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.