Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Wall Infection Executable - Analysis of .EXE and Timeline


  • This topic is locked This topic is locked
1 reply to this topic

#1 bluerussian

bluerussian

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 23 March 2015 - 06:26 PM

To the powers that be,

 

I recently had a client get infected with a variant of Cryptowall.  During my virus removal in safe mode using ESET and Malwarebytes it appears Malwarebytes came upon the .exe that caused the virus.  It's was a randomly named .exe in the temp folder of the user that got infected.  It's 7 random numbers long.  I have enabled show file extensions on said file and renamed it to .pdf removing the .exe. I have it in an aptly named folder not to touch it and it's sitting there.

 

Is anyone interested in looking at it?  I believe it's a V3 variant based on what I read in the Crypto Wall readme on the website here.  Its slightly awesome, to me, because I can almost trace the exact moment the user caused the virus this time.  So many times I haven't been able to do this.  I can see them logging in.  Open Outlook, then I see the silent VSS admin wipe command 10 minutes later.  The command appears to error out however.  

 

Is there anything further in the event logs I can check for activity from this virus? 

 

Would you like a copy of the messages that were created in the process?  The HELP_DECRYPT files?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:11 PM

Posted 23 March 2015 - 06:51 PM


There is lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense Support & Discussion Topic.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users