2015-06-09 - MALSPAM CAMPAIGN SENDING CRYPTOWALL 3.0 CONTINUES

PCAP AND MALWARE:

• ZIP of the traffic:  2015-06-09-malspam-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-06-09-CryptoWall-3.0-from-malspam.zip

 

NOTES:

• The malspam campaign using Yahoo email addresses to deliver CryptoWall 3.0 continues.
• First blogged about it on 2015-06-04 ( link ).  See that blog entry for more images.
• This campaign is using redirects to Google Drive (docs.google.com) to send the malware.
• Bitcoin address for ransom payment is still 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag (same as before).

 

DETAILS

EMAILS SEEN TODAY:

• 2015-06-09 15:19:48 CST - Subject: Re:Resume - From: arniipf867@yahoo.com
• 2015-06-09 15:18:23 CST - Subject: Re:Resume - From: dalstonstukel@yahoo.com
• 2015-06-09 15:11:50 CST - Subject: Re:Resume - From: bryantleon990@yahoo.com
• 2015-06-09 15:06:14 CST - Subject: My resume - From: bonneramie@yahoo.com
• 2015-06-09 14:15:24 CST - Subject: My resume - From: lisandradelvy@yahoo.com
• 2015-06-09 13:56:33 CST - Subject: My resume - From: blondellemcclelland@yahoo.com
• 2015-06-09 09:09:02 CST - Subject: Re:Resume - From: myrnajmr242@yahoo.com
• 2015-06-09 08:50:57 CST - Subject: My resume - From: agnacry623@yahoo.com
• 2015-06-09 08:42:26 CST - Subject: Re:My resume - From: karieqwx157@yahoo.com
• 2015-06-09 08:37:18 CST - Subject: Resume - From: mateldaimr269@yahoo.com
• 2015-06-09 08:27:59 CST - Subject: Resume - From: brnabybkl345@yahoo.com
• 2015-06-09 08:01:56 CST - Subject: Re:My resume - From: constantaqwp988@yahoo.com
• 2015-06-09 07:18:10 CST - Subject: Resume - From: janithbhh097@yahoo.com
• 2015-06-09 07:01:40 CST - Subject: Resume - From: ignazlbp335@yahoo.com

 

ATTACHMENTS:

• my_resume.zip

 

EXTRACTED FILES FROM THE ATTACHMENTS (ALL HTML):

• resume1015.html
• resume1140.html
• resume2707.html
• resume3867.html
• resume4179.html
• resume4356.html
• resume4782.html
• resume5234.html
• resume5268.html
• resume6321.html
• resume6420.html
• resume6463.html
• resume6980.html
• resume7621.html

 

EXTRACTED HTML FILES HAVE IFRAME LINKS TO:

• topfinish.eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=902
• topfinish.eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=701
• topfinish.eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=523
• topfinish.eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=457
• nobiom.tv - GET /wp-content/themes/nobiomtv/lib/resume/resume.php?id=988
• nobiom.tv - GET /wp-content/themes/nobiomtv/lib/resume/resume.php?id=794
• nicefilm.net - GET /wp-content/themes/dt-the7/resume/resume.php?id=987
• nicefilm.net - GET /wp-content/themes/dt-the7/resume/resume.php?id=622
• nicefilm.net - GET /wp-content/themes/dt-the7/resume/resume.php?id=561
• konuralpticaret.com - GET /wp-content/themes/theretailer/resume/resume.php?id=908
• konuralpticaret.com - GET /wp-content/themes/theretailer/resume/resume.php?id=846
• konuralpticaret.com - GET /wp-content/themes/theretailer/resume/resume.php?id=444
• konuralpticaret.com - GET /wp-content/themes/theretailer/resume/resume.php?id=414
• konuralpticaret.com - GET /wp-content/themes/theretailer/resume/resume.php?id=307

 

CHECKING SOME OF THE ABOVE LINKS GAVE ME 200 OK REPONSES WITH HTTPS LINKS TO THE FOLLOWING GOOGLE URLS:

• (https) docs.google.com - GET /uc?export=download&id=0B-HWsX8wPhPFQzJsSmYtdERrZ1k
• (https) docs.google.com - GET /uc?export=download&id=0B-HWsX8wPhPFVTNpNTJneHJKazQ
• (https) docs.google.com - GET /uc?export=download&id=0B-HWsX8wPhPFZDk2dms3c2plZk0

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM DOCS.GOOGLE.COM LINKS:

File name:  my_resume_pdf.zip
File size:  204.2 KB ( 209136 bytes )
MD5 hash:  29e28ae8cca81d223ef3fd24ca1d3d68
Detection ratio:  13 / 57
First submission:  2015-06-09 19:21:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/24eb11fd46915d470c3c18e769df28414f160c66c0c9504f59f1f422555af138/analysis/

 

EXTRACTED MALWARE (CRYPTOWALL 3.0):

File name:  my_resume_pdf_id_3551-5411-241.scr
File size:  264.0 KB ( 270336 bytes )
MD5 hash:  7d231a2cebfcadb783377ab17fd2ef2f
Detection ratio:  13 / 57
First submission:  2015-06-09 18:42:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5c2c16ec235c74c2586dee6913089602d26633af6aac9c9790b77029f8f6405/analysis/

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP of the traffic:  2015-06-09-malspam-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-06-09-CryptoWall-3.0-from-malspam.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.