CryptoWall: How It Works
-
Upload
tandhy-simanjuntak -
Category
Technology
-
view
110 -
download
1
Transcript of CryptoWall: How It Works
File-encrypting ransomware
Q1 2014 (Nov 2013) [5]
CryptoClone, CryptoDefense[5]
Encrypted environments
• TOR network
• Bitcoin
CryptoWall
Infection USPS – Your package is available for pickup (Parcel 173145820507)
Fwd: IMG01041_6706015_m.zip
FW: Invoice <random number> My resume
ADP payroll: Account Charge Alert New Voicemail Message
Important – attached form Important – New Outlook Settings
FW: Last Month Remit Scan Data
McAfee Always On Protection Reactivation New contract agreement
Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer
Payroll Invoice Payment Overdue – Please respond
Infection Upatre downloader
• June 5th 2014: largest single-day infection
• Legitimate cloud hosting: Dropbox, Cubby, and MediaFire
• Banking Trojan: Gameover Zeus, Dyre
Tools Dynamic Analysis
• Process Explorer
• Process Monitor
• Wireshark
• RegShot / captureBAT
Static Analysis
• REMnux: pyew, Strings, pescanner, densityScout, trid
• Hex Editor
Analysis Create files
• Cryptowall.exe C:\Documents and Settings\<user>\%AppData%\<random name>.exe"
• Kdtsndl.exe C:\Documents and Settings\<user>\%AppData%\key.dat
• Kdtsndl.exe C:\Documents and Settings\<user>\Desktop\log.html
Dynamic Analysis
Analysis Creates registry values
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscfg:
"C:\Documents and Settings\winXP\Application Data\kdtsndl.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*mscfg:
"C:\Documents and Settings\winXP\Application Data\kdtsndl.exe"
Analysis
Encryption2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
2f54 7970 6520 2f53 7472 7563 7445 6c65
16 bytes .
MemoryPDF file
2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
2f54 7970 6520 2f53 7472 7563 7445 6c65
16 bytes .
xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
xxxx 2f54 7970 6520 2f53 7472 7563 7445
3c0a 3031 2030 2052 0a2f 5320 2f4c 696e
6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50
xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036
2f54 7970 6520 2f53 7472 7563 7445 3c0a
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
CryptoAPI
1
2
3
4
New .PDF file
Analysis
Encryption
Moves new .pdf file .pdf.ecc file
• Loads new .pdf file
• Creates .pdf.ecc file
• Delete new .pdf file
.3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2
.7z* .crt .flv .ltx .ods .py, .py* .snx .wma
.ai* .crw .fos .lvl .odt .qdf .sql .wmo
.apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv
.arw .csv .fsh .m3u .p12 .r3d .srf .wpd
.avi .das .gdb .m4a .p7b .raf .srw .wps
.bar .db, .db* .gho .map .p7c .rar .sum .x3f
.bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8
.bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk
.bc7 .dmp .itm .mef .pdf .re4 .t13 .xls
.big .dng .iwd .mlx .pef .rim .tax .xlsx
.bik .doc .iwi .mov .pem .rtf .tor .xxx
.bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip
.bkp .dwg .jpg .ncf .png .rwl .upk
.bsa .dxg .js, .js* .nrw .ppt .sav .vcf
.cas .epk .kdb .ntl .pptx .sb, .sb* .vdf
.cdr .eps .kdc .odb .psd .sid .vpk
.cer .erf .kf, .kf* .odc .psk .sie .vtf
Analysis
Encryption
Normal file creation• 21 modules
Cryptowall file creation• 50 modules
• Windows’ cryptographic modules: crypt32.dll
Analysis
Encryption
Encrypted File
Modules
Analysis
Encryption
Raw data pattern
• Beginning / header
• End / footerEncrypted File
File signature File type Signature
Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1
JPG file FF D8 FF E0 | FF D9
PDF file 25 50 44 46
Analysis Network• ipinfo.io
• 7tno4hib47vlep5o.42kjb11.net
• 7tno4hib47vlep5o.42kjb12.net
• 7tno4hib47vlep5o.tor2web.blutmagie.de
• 7tno4hib47vlep5o.tor2web.fi
Analysis
Forensic
Read .pdf saves as new .pdf
Moves new .pdf .pdf.ecc
• Deletes new .pdf
• Creates .pdf.ecc
Forensic tools
• Scalpel, EnCase Forensic
Analysis
Forensic2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
2f54 7970 6520 2f53 7472 7563 7445 6c65
16 bytes .
MemoryPDF file
2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
2f54 7970 6520 2f53 7472 7563 7445 6c65
16 bytes .
2f54 7970 6520 2f53 7472 7563 7445 3c0a
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
Write
1
23
New .PDF file
Delete
Load
Analysis
Forensic
xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
xxxx 2f54 7970 6520 2f53 7472 7563 7445
3c0a 3031 2030 2052 0a2f 5320 2f4c 696e
6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50
New .PDF file
2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36
3233 2030 206f 626a 0a3c 3c0a 2f50 2036
3031 2030 2052 0a2f 5320 2f4c 696e 6b0a
2f54 7970 6520 2f53 7472 7563 7445 6c65
PDF file
Ransomware
• TOR network
• Bitcoin
• No internet
• Unable to carve
• Attachment
• Link
Further Analysis
• Dynamic : debugger
• Static: REs
Conclusion
Reference1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/
2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/
3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall-2015-03-23.43940/
4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html
5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorkssite: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/
6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/