CryptoWall: How It Works

CryptoWall 3.0: How It WorksTerm Project

CS690 Network Security

Tandhy Simanjuntak

History

Infection

Tools

Analysis

Conclusion

Agenda

History

File-encrypting ransomware

Q1 2014 (Nov 2013) [5]

CryptoClone, CryptoDefense[5]

Encrypted environments

• TOR network

• Bitcoin

CryptoWall

Infection

Infection

attachments

links

downloadrequest

(a) (b)

Browser exploit kits

Drive-by download

Infection

Link

Infection USPS – Your package is available for pickup (Parcel 173145820507)

Fwd: IMG01041_6706015_m.zip

FW: Invoice <random number> My resume

ADP payroll: Account Charge Alert New Voicemail Message

Important – attached form Important – New Outlook Settings

FW: Last Month Remit Scan Data

McAfee Always On Protection Reactivation New contract agreement

Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer

Payroll Invoice Payment Overdue – Please respond

Email

Infection Upatre downloader

• June 5th 2014: largest single-day infection

• Legitimate cloud hosting: Dropbox, Cubby, and MediaFire

• Banking Trojan: Gameover Zeus, Dyre

Tools Dynamic Analysis

• Process Explorer

• Process Monitor

• Wireshark

• RegShot / captureBAT

Static Analysis

• REMnux: pyew, Strings, pescanner, densityScout, trid

• Hex Editor

Tools Forensic

• Scalpel

• EnCase Forensic

Hardware

• Host: Kali Linux

• VM: Windows XP

Analysis

Analysis Create files

• Cryptowall.exe C:\Documents and Settings\<user>\%AppData%\<random name>.exe"

• Kdtsndl.exe C:\Documents and Settings\<user>\%AppData%\key.dat

• Kdtsndl.exe C:\Documents and Settings\<user>\Desktop\log.html

Dynamic Analysis

Key.datAnalysis

114GCa7RevREjed65TRCepdLPPpbxh7Pa4

Create Files

Analysis Key.dat

Analysis Creates registry values

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscfg:

"C:\Documents and Settings\winXP\Application Data\kdtsndl.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*mscfg:

"C:\Documents and Settings\winXP\Application Data\kdtsndl.exe"

Analysis Deletes original

• Deletes from original location : Desktop

Delete shadow copies

Analysis

Encryption2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

2f54 7970 6520 2f53 7472 7563 7445 6c65

16 bytes .

MemoryPDF file

2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

2f54 7970 6520 2f53 7472 7563 7445 6c65

16 bytes .

xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx

xxxx 2f54 7970 6520 2f53 7472 7563 7445

3c0a 3031 2030 2052 0a2f 5320 2f4c 696e

6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50


xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036

2f54 7970 6520 2f53 7472 7563 7445 3c0a

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

CryptoAPI

1

2

3

4

New .PDF file

Analysis

Encryption

Moves new .pdf file .pdf.ecc file

• Loads new .pdf file

• Creates .pdf.ecc file

• Delete new .pdf file

.3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2

.7z* .crt .flv .ltx .ods .py, .py* .snx .wma

.ai* .crw .fos .lvl .odt .qdf .sql .wmo

.apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv

.arw .csv .fsh .m3u .p12 .r3d .srf .wpd

.avi .das .gdb .m4a .p7b .raf .srw .wps

.bar .db, .db* .gho .map .p7c .rar .sum .x3f

.bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8

.bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk

.bc7 .dmp .itm .mef .pdf .re4 .t13 .xls

.big .dng .iwd .mlx .pef .rim .tax .xlsx

.bik .doc .iwi .mov .pem .rtf .tor .xxx

.bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip

.bkp .dwg .jpg .ncf .png .rwl .upk

.bsa .dxg .js, .js* .nrw .ppt .sav .vcf

.cas .epk .kdb .ntl .pptx .sb, .sb* .vdf

.cdr .eps .kdc .odb .psd .sid .vpk

.cer .erf .kf, .kf* .odc .psk .sie .vtf

Analysis

Encryption

Analysis

Encryption

Internet independent

Encrypted file

• Modules

• File signature

Normal file creation• 21 modules

Cryptowall file creation• 50 modules

• Windows’ cryptographic modules: crypt32.dll

Analysis

Encryption

Encrypted File

Modules

Analysis

Encryption

Encrypted File

Modules

Analysis

Encryption

Raw data pattern

• Beginning / header

• End / footerEncrypted File

File signature File type Signature

Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1

JPG file FF D8 FF E0 | FF D9

PDF file 25 50 44 46

Un-encrypted .docx file

Encrypted .docx file

Analysis

Encryption

Encrypted File

File signature

Un-encrypted .pdf file

Encrypted .pdf file

Analysis

Encryption

Encrypted File

File signature

Analysis Network• ipinfo.io

• 7tno4hib47vlep5o.42kjb11.net

• 7tno4hib47vlep5o.42kjb12.net

• 7tno4hib47vlep5o.tor2web.blutmagie.de

• 7tno4hib47vlep5o.tor2web.fi

Analysis

Network

7tno4hib47vlep5o.42kjb11.net

Analysis

Static

Analysis

REMnux

• REMnux: pyew, Strings, pescanner, densityScout, trid

Analysis

Forensic

Read .pdf saves as new .pdf

Moves new .pdf .pdf.ecc

• Deletes new .pdf

• Creates .pdf.ecc

Forensic tools

• Scalpel, EnCase Forensic

Analysis

Forensic2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

2f54 7970 6520 2f53 7472 7563 7445 6c65

16 bytes .

MemoryPDF file

2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

2f54 7970 6520 2f53 7472 7563 7445 6c65

16 bytes .

2f54 7970 6520 2f53 7472 7563 7445 3c0a

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

Write

1

23

New .PDF file

Delete

Load

Analysis

Forensic


xxxx 2f54 7970 6520 2f53 7472 7563 7445

3c0a 3031 2030 2052 0a2f 5320 2f4c 696e

6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50

New .PDF file

2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36

3233 2030 206f 626a 0a3c 3c0a 2f50 2036

3031 2030 2052 0a2f 5320 2f4c 696e 6b0a

2f54 7970 6520 2f53 7472 7563 7445 6c65

PDF file

Conclusion

Ransomware

• TOR network

• Bitcoin

• No internet

• Unable to carve

Email

• Attachment

• Link

Further Analysis

• Dynamic : debugger

• Static: REs

Conclusion

Be Paranoid !

Reference1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/

2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/

3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall-2015-03-23.43940/

4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html

5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorkssite: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/

6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/

CryptoWall: How It Works

Technology

Transcript of CryptoWall: How It Works