2015-02-06 - TRAFFIC PATTERN CHANGE IN CRYPTOWALL 3.0 SAMPLE

ASSOCIATED FILES:

• ZIP of the pcap:  2015-02-06-CryptoWall-3.0-infection-traffic.pcap.zip
• ZIP of the malware:  2015-02-06-CryptoWall-3.0-sample.zip

 

NOTES:

• Today, Bryan Manradge sent me a CryptoWall 3.0 sample that I took a look at.
• Traffic patterns from an infected VM are different than when I first saw CryptoWall 3.0 (link), so I'm documenting this in a blog entry.

• In today's sample, the bitcoin wallet address for the ransom payment is:  15WUYqKerTtxi4rUEmnakw5gRMkr3nZCQd

 

CHAIN OF EVENTS

TRAFFIC FROM THE INFECTED VM:

• 2015-02-06 21:01:27 UTC - 188.165.164.184 port 80 - ip-addr.es - GET /
• 2015-02-06 21:01:27 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?z=7210v4v8anxeba69
• 2015-02-06 21:01:30 UTC - 83.209.243.10 port 80 - grycksbo.org - POST /img5.php?c=7210v4v8anxeba69
• 2015-02-06 21:01:34 UTC - 72.29.80.235 port 80 - dladesigninc.net - POST /img3.php?h=7210v4v8anxeba69
• 2015-02-06 21:01:39 UTC - 216.55.179.136 port 80 - marine-club.net - POST /img3.php?k=7210v4v8anxeba69
• 2015-02-06 21:01:59 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?l=7210v4v8anxeba69
• 2015-02-06 21:02:03 UTC - 199.68.191.235 port 80 - caracolassn.com - POST /volunteer/img1.php?p=7210v4v8anxeba69
• 2015-02-06 21:02:09 UTC - 143.95.1.100 port 80 - dishwashersreviews.org - POST /img3.php?d=7210v4v8anxeba69
• 2015-02-06 21:02:14 UTC - 70.40.199.132 port 80 - credit-score-repair-help.com - POST /img4.php?a=7210v4v8anxeba69
• 2015-02-06 21:02:17 UTC - 189.38.80.72 port 80 - marivaldakariri.net - POST /img2.php?d=7210v4v8anxeba69
• 2015-02-06 21:02:22 UTC - 66.147.240.175 port 80 - cannedseniordogfood.com - POST /img2.php?i=7210v4v8anxeba69
• 2015-02-06 21:02:27 UTC - 107.161.186.165 port 80 - olx4u.com - POST /img5.php?o=7210v4v8anxeba69
• 2015-02-06 21:02:30 UTC - 67.222.49.225 port 80 - decisiondock.com - POST /img2.php?l=7210v4v8anxeba69
• 2015-02-06 21:02:34 UTC - 142.4.5.182 port 80 - ohiorealestateinvestor.com - POST /img1.php?s=7210v4v8anxeba69
• 2015-02-06 21:02:40 UTC - 219.94.217.199 port 80 - grid-japan.com - POST /img3.php?q=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 162.216.152.1 port 80 - cityep.net - POST /plus/img1.php?k=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 23.235.198.159 port 80 - homeoholistic.com - POST /img1.php?n=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 205.209.123.35 port 80 - dreamleaparchitects.com - POST /img4.php?h=7210v4v8anxeba69
• 2015-02-06 21:02:53 UTC - 103.24.244.107 port 80 - diemtichluy.net - POST /utf.php?a=7210v4v8anxeba69
• 2015-02-06 21:02:58 UTC - 109.200.196.187 port 80 - megasort.net - POST /img2.php?f=7210v4v8anxeba69
• 2015-02-06 21:03:03 UTC - 50.97.118.154 port 80 - crushtrack.com - POST /img2.php?a=7210v4v8anxeba69
• 2015-02-06 21:03:07 UTC - 198.58.92.228 port 80 - jake-angela.com - POST /img5.php?e=7210v4v8anxeba69
• 2015-02-06 21:03:12 UTC - 204.152.255.10 port 80 - dolidoligames.org - POST /img1.php?b=7210v4v8anxeba69
• 2015-02-06 21:03:18 UTC - 176.9.125.188 port 80 - butterflymedia.az - POST /img2.php?l=7210v4v8anxeba69
• 2015-02-06 21:03:21 UTC - 63.208.120.198 port 80 - downtowncarandlimousine.com - POST /img1.php?i=7210v4v8anxeba69
• 2015-02-06 21:03:27 UTC - 64.40.153.128 port 80 - gjswan.com - POST /img3.php?n=7210v4v8anxeba69
• 2015-02-06 21:03:31 UTC - 210.1.58.197 port 80 - cx-tractor.com - POST /img3.php?v=7210v4v8anxeba69
• 2015-02-06 21:03:33 UTC - 212.68.42.26 port 80 - dh-solutions.net - POST /img5.php?w=7210v4v8anxeba69
• 2015-02-06 21:03:41 UTC - 173.254.104.49 port 80 - funnyvideosonline.net - POST /img2.php?b=7210v4v8anxeba69
• 2015-02-06 21:03:45 UTC - 5.104.106.93 port 80 - hcegroup.net - POST /img5.php?y=7210v4v8anxeba69
• 2015-02-06 21:03:52 UTC - 190.107.176.7 port 80 - ingesof.com - POST /img4.php?r=7210v4v8anxeba69
• 2015-02-06 21:03:57 UTC - 122.155.167.122 port 80 - diversolve.com - POST /img2.php?z=7210v4v8anxeba69
• 2015-02-06 21:04:02 UTC - 5.44.216.13 port 80 - fotosiski.com - POST /img5.php?p=7210v4v8anxeba69
• 2015-02-06 21:04:11 UTC - 69.89.22.148 port 80 - californiainsuranceco.com - POST /img4.php?s=7210v4v8anxeba69
• 2015-02-06 21:04:14 UTC - 66.147.240.175 port 80 - superiorseoservices.com.au - POST /img5.php?t=7210v4v8anxeba69
• 2015-02-06 21:04:17 UTC - 69.195.124.86 port 80 - dyounglawoffice.com - POST /img1.php?u=7210v4v8anxeba69
• 2015-02-06 21:04:23 UTC - 72.29.81.177 port 80 - domainithere.com - POST /tools/img2.php?d=7210v4v8anxeba69
• 2015-02-06 21:04:27 UTC - 95.173.181.231 port 80 - hisarins.com - POST /img4.php?w=7210v4v8anxeba69
• 2015-02-06 21:04:30 UTC - 108.166.74.204 port 80 - dropnwashlaundry.com - POST /wp-content/img1.php?k=7210v4v8anxeba69
• 2015-02-06 21:04:35 UTC - 50.87.169.19 port 80 - spindna.com - POST /img1.php?u=7210v4v8anxeba69
• 2015-02-06 21:04:43 UTC - 205.134.238.142 port 80 - almjobs.com - POST /img4.php?s=7210v4v8anxeba69
• 2015-02-06 21:04:46 UTC - 114.202.247.141 port 80 - dcmaulmembers.com - POST /img4.php?n=7210v4v8anxeba69
• 2015-02-06 21:04:59 UTC - 23.236.238.227 port 80 - creativoplasma.com - POST /televisa/img1.php?f=7210v4v8anxeba69
• 2015-02-06 21:05:05 UTC - 74.220.214.164 port 80 - preciousmetalsrarecoininvestments.com - POST /img2.php?x=7210v4v8anxeba69
• 2015-02-06 21:05:13 UTC - 188.165.164.184 port 80 - ip-addr.es - GET /
• 2015-02-06 21:05:13 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?s=jl6nfgewttz
• 2015-02-06 21:05:16 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?t=6d3b0ihusgae5f3
• 2015-02-06 21:05:22 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?i=festbbqped032pvu
• 2015-02-06 21:05:25 UTC - 83.209.243.10 port 80 - grycksbo.org - POST /img5.php?h=festbbqped032pvu
• 2015-02-06 21:05:55 UTC - 72.29.80.235 port 80 - dladesigninc.net - POST /img3.php?a=festbbqped032pvu
• 2015-02-06 21:05:58 UTC - 216.55.179.136 port 80 - marine-club.net - POST /img3.php?o=festbbqped032pvu
• 2015-02-06 21:06:02 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?y=festbbqped032pvu
• 2015-02-06 21:06:05 UTC - 199.68.191.235 port 80 - caracolassn.com - POST /volunteer/img1.php?d=festbbqped032pvu
• 2015-02-06 21:06:13 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?f=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:18 UTC - 83.209.243.10 port 80 - grycksbo.org - POST /img5.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:28 UTC - 72.29.80.235 port 80 - dladesigninc.net - POST /img3.php?a=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:31 UTC - 216.55.179.136 port 80 - marine-club.net - POST /img3.php?c=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:34 UTC - 72.29.73.163 port 80 - captainblowdri.com - POST /img4.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:36 UTC - 199.68.191.235 port 80 - caracolassn.com - POST /volunteer/img1.php?p=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:42 UTC - 143.95.1.100 port 80 - dishwashersreviews.org - POST /img3.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:45 UTC - 70.40.199.132 port 80 - credit-score-repair-help.com - POST /img4.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:50 UTC - 189.38.80.72 port 80 - marivaldakariri.net - POST /img2.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:54 UTC - 66.147.240.175 port 80 - cannedseniordogfood.com - POST /img2.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:59 UTC - 107.161.186.165 port 80 - olx4u.com - POST /img5.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:09 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /1Y2a92Q
• 2015-02-06 21:07:11 UTC - 67.222.49.225 port 80 - decisiondock.com - POST /img2.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:15 UTC - 142.4.5.182 port 80 - ohiorealestateinvestor.com - POST /img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:17 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/style.css
• 2015-02-06 21:07:21 UTC - 219.94.217.199 port 80 - grid-japan.com - POST /img3.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/flags/us.png
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/flags/es.png
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/flags/it.png
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /picture.php?k=1y2a92q&f95dca8fd582559090731d3a2d4eaa24
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/rt.png
• 2015-02-06 21:07:23 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/rb.png
• 2015-02-06 21:07:23 UTC - 162.216.152.1 port 80 - cityep.net - POST /plus/img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:24 UTC - 23.235.198.159 port 80 - homeoholistic.com - POST /img1.php?t=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:24 UTC - 205.209.123.35 port 80 - dreamleaparchitects.com - POST /img4.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:27 UTC - 103.24.244.107 port 80 - diemtichluy.net - POST /utf.php?p=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:28 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/flags/fr.png
• 2015-02-06 21:07:28 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/flags/de.png
• 2015-02-06 21:07:28 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/lt.png
• 2015-02-06 21:07:28 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/lb.png
• 2015-02-06 21:07:35 UTC - 109.200.196.187 port 80 - megasort.net - POST /img2.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:39 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - POST /1Y2a92Q
• 2015-02-06 21:07:39 UTC - 50.97.118.154 port 80 - crushtrack.com - POST /img2.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:43 UTC - 198.58.92.228 port 80 - jake-angela.com - POST /img5.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:46 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - POST /1Y2a92Q
• 2015-02-06 21:07:52 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/style.css
• 2015-02-06 21:07:56 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/bitcoin.png
• 2015-02-06 21:07:56 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/lb.png
• 2015-02-06 21:07:56 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /img/button_pay.png
• 2015-02-06 21:08:01 UTC - 5.199.167.233 port 80 - paytoc4gtpn5czl2.optionstorpay22.com - GET /favicon.ico
• 2015-02-06 21:08:01 UTC - 204.152.255.10 port 80 - dolidoligames.org - POST /img1.php?g=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:06 UTC - 176.9.125.188 port 80 - butterflymedia.az - POST /img2.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:10 UTC - 63.208.120.198 port 80 - downtowncarandlimousine.com - POST /img1.php?z=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:16 UTC - 64.40.153.128 port 80 - gjswan.com - POST /img3.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:19 UTC - 210.1.58.197 port 80 - cx-tractor.com - POST /img3.php?y=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:51 UTC - 212.68.42.26 port 80 - dh-solutions.net - POST /img5.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:02 UTC - 173.254.104.49 port 80 - funnyvideosonline.net - POST /img2.php?e=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:06 UTC - 5.104.106.93 port 80 - hcegroup.net - POST /img5.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:10 UTC - 190.107.176.7 port 80 - ingesof.com - POST /img4.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:17 UTC - 122.155.167.122 port 80 - diversolve.com - POST /img2.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:28 UTC - 5.44.216.13 port 80 - fotosiski.com - POST /img5.php?m=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:31 UTC - 69.89.22.148 port 80 - californiainsuranceco.com - POST /img4.php?k=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:35 UTC - 66.147.240.175 port 80 - superiorseoservices.com.au - POST /img5.php?q=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:39 UTC - 69.195.124.86 port 80 - dyounglawoffice.com - POST /img1.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:46 UTC - 72.29.81.177 port 80 - domainithere.com - POST /tools/img2.php?b=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:50 UTC - 95.173.181.231 port 80 - hisarins.com - POST /img4.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:53 UTC - 108.166.74.204 port 80 - dropnwashlaundry.com - POST /wp-content/img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:58 UTC - 50.87.169.19 port 80 - spindna.com - POST /img1.php?c=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:05 UTC - 205.134.238.142 port 80 - almjobs.com - POST /img4.php?q=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:09 UTC - 114.202.247.141 port 80 - dcmaulmembers.com - POST /img4.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:12 UTC - 23.236.238.227 port 80 - creativoplasma.com - POST /televisa/img1.php?b=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:18 UTC - 74.220.214.164 port 80 - preciousmetalsrarecoininvestments.com - POST /img2.php?j=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:27 UTC - 50.63.132.134 port 80 - grupobsm.net - POST /img4.php?n=bnis0m4bg5i

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• Various IP addresses over port 80 (see above) - ET TROJAN CryptoWall Check-in (sid:2018452)
• DNS query for: paytoc4gtpn5czl2.optionstorpay22.com - ET TROJAN Cryptowall 3.0 .onion Proxy Domain (sid:2020182)

 

PRELIMINARY MALWARE ANALYSIS

MALWARE

File name:  2015-02-06-CryptoWall-3.0-sample.exe
File size:  220.1 KB ( 225341 bytes )
MD5 hash:  b188a7a9de9c101aed6ecf075daf19f2
Detection ratio:  5 / 55
First submission:  2015-02-06 17:12:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/74218a572992da05a1cb2a2ea155862ac280e2777ae902828071f7328beaa532/analysis/
Malwr link:  https://malwr.com/analysis/ZGE5YmMwNTg4ZGNmNDVjMzgyMjQyNjI5ZDdlMzQwMmM/

 

SCREENSHOTS

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-02-06-CryptoWall-3.0-infection-traffic.pcap.zip
• ZIP of the malware:  2015-02-06-CryptoWall-3.0-sample.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.