CryptoDefense

Forum for analysis and discussion about malware.

CryptoDefense

Postby Cody Johnston » Thu Mar 20, 2014 12:23 am

Hi All,

Thanks to Fabian, Grinler, and decrypterfixer (BleepingComputer.com) for the info and samples on this post.

There is a new crypto-ransomware going around called CryptoDefense. It uses RSA-2048 and seems to work similarly to CryptoLocker, aside form the fact that there is no actual UI. The elements of the UI that CryptoLocker would use are now shown to the user via a web service. It does not look like there is a feasible way to decrypt the files without payment at this point.

It drops a HTML, txt, and Internet Shortcut (points to hxxps://rj2bocejarqnpuhm.onion.to/)

HTML:

Image

From there we can go to the website on TOR:

Captcha Protection:

Image

Payment:

Image

FAQ:

Image

Screenshot (not always working but 80 - 90% of the time):

Image

Test Decryption:

Image

Calls home to:

Code: Select all
hxxp://machetesraka.com (185.10.56.103 at the time of writing)


Example requests:

Code: Select all
http://machetesraka.com/5li5hybsd1
http://machetesraka.com/0r24wp6yj05a8
http://machetesraka.com/6b3dpt13rqu8t


These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.

The dropper and decrypter are pretty heavily obfuscated.

Dropper (647f242.exe):

VirusTotal (13/50):
MD5 d43abef5a62b46a660a5128330070479
https://www.virustotal.com/en/file/0099 ... 395155742/

Decrypter (decrypter.exe):

VirusTotal (12/50):
MD5 cde1a96c7d1fc4fd04d4f076b936e9a0
https://www.virustotal.com/en/file/4913 ... 395270965/

Binary taken from dropper (this does the actual encryption - _003E000.exe):

VirusTotal (8/50):
MD5 f57d188c4667fab46208396af20badd2
https://www.virustotal.com/en/file/8783 ... 395274352/
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: CryptoDefense

Postby Grinler » Thu Mar 20, 2014 12:44 am

I put up a guide here of all the info we have compiled so far:

http://www.bleepingcomputer.com/virus-r ... nformation

I am sure once you gurus analyze this more there will be corrections to be made.
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: CryptoDefense

Postby Artilllerie » Fri Mar 21, 2014 4:50 pm

Hello,

For information on my side I found this API calls from a svchost process on a first run :

Function : 000A3E20 :
CryptGenKey
CryptExportKey

Function : 000A36E0 :
HttpOpenRequestA

And on another run I've checked and It seem to have many threads still on svchost process :

Image

To be continued ;).
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: CryptoDefense

Postby Fabian Wosar » Fri Apr 04, 2014 2:52 am

The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has been patched to start right at the file encryption stage for easier debugging of the key generation/encryption.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: CryptoDefense

Postby colbyiscute4e » Sat Apr 19, 2014 10:45 pm

These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.

The dropper and decrypter are pretty heavily obfuscated.



When you say decrypter, do you mean it decrypts the files?
User avatar
colbyiscute4e
 
Posts: 11
Joined: Mon Dec 16, 2013 4:29 pm
Reputation point: 0

Re: CryptoDefense

Postby Sakiwinkie » Tue Jun 10, 2014 5:28 pm

New Version of the Virus Distributed today.

https://www.virustotal.com/en/file/fc5e ... /analysis/

It is not being picked up by very many antivirus scanners yet.
You do not have the required permissions to view the files attached to this post.
Sakiwinkie
 
Posts: 1
Joined: Wed May 28, 2014 2:40 pm
Reputation point: 0

Re: CryptoDefense

Postby Artilllerie » Wed Jun 11, 2014 1:05 pm

C&C is : newsbrontima.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Behavior found in newly svchost created process :

Image

PID 3E8,VOICE-864169741-28641.scr: New process.
PID 3E8,VOICE-864169741-28641.scr: Loaded module MSCTF.dll at 0x74690000
PID 3E8,VOICE-864169741-28641.scr: Loaded module ADVAPI32.dll at 0x77DA0000
PID 3E8,VOICE-864169741-28641.scr: Loaded module RPCRT4.dll at 0x77E50000
PID 3E8,VOICE-864169741-28641.scr: Loaded module COMCTL32.DLL at 0x77390000
PID 3E8,VOICE-864169741-28641.scr: Loaded module SHLWAPI.dll at 0x77F40000
PID 3E8,VOICE-864169741-28641.scr: Loaded module UxTheme.dll at 0x5B090000
PID 3E8,VOICE-864169741-28641.scr: Loaded module ole32.dll at 0x774A0000
PID 3E8,VOICE-864169741-28641.scr: Loaded module gdiplus.dll at 0x4EB80000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x401000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x950000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x4EB81000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x5B091000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x74691000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77391000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x774A1000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77DA1000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77E51000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77F41000
PID 3E8,VOICE-864169741-28641.scr: Terminated.

PID 590,svchost.exe: New process.
PID 590,svchost.exe: Loaded module wsock32.dll at 0x71A10000
PID 590,svchost.exe: Loaded module RASAPI32.DLL at 0x76E90000
PID 590,svchost.exe: Loaded module rasman.dll at 0x76E40000
PID 590,svchost.exe: Loaded module NETAPI32.dll at 0x6FEE0000
PID 590,svchost.exe: Loaded module TAPI32.dll at 0x76E60000
PID 590,svchost.exe: Loaded module rtutils.dll at 0x76E30000
PID 590,svchost.exe: Loaded module sensapi.dll at 0x72220000
PID 590,svchost.exe: New executable heap at 0x6FEE1000
PID 590,svchost.exe: New executable heap at 0x71A11000
PID 590,svchost.exe: New executable heap at 0x72221000
PID 590,svchost.exe: New executable heap at 0x76E31000
PID 590,svchost.exe: New executable heap at 0x76E41000
PID 590,svchost.exe: New executable heap at 0x76E61000
PID 590,svchost.exe: New executable heap at 0x76E91000
PID 590,svchost.exe: Loaded module mswsock.dll at 0x71990000
PID 590,svchost.exe: Loaded module DNSAPI.dll at 0x76ED0000
PID 590,svchost.exe: Loaded module rasadhlp.dll at 0x76F70000
PID 590,svchost.exe: Loaded module hnetcfg.dll at 0x62E40000
PID 590,svchost.exe: Loaded module wshtcpip.dll at 0x719D0000
PID 590,svchost.exe: New executable heap at 0x62E41000
PID 590,svchost.exe: New executable heap at 0x71991000
PID 590,svchost.exe: New executable heap at 0x719D1000
PID 590,svchost.exe: New executable heap at 0x76ED1000
PID 590,svchost.exe: New executable heap at 0x76F71000
PID 590,svchost.exe: Loaded module rsaenh.dll at 0xFFD0000
PID 590,svchost.exe: New executable heap at 0xFFD1000
PID 31C,svchost.exe: Loaded module Apphelp.dll at 0x77B50000
PID 31C,svchost.exe: New executable heap at 0x77B51000
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: CryptoDefense

Postby colbyiscute4e » Tue Jul 08, 2014 12:50 pm

Fabian Wosar wrote:The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has been patched to start right at the file encryption stage for easier debugging of the key generation/encryption.


Does anyone know how to tell the old one from the new one? And Where is the private key on the system?

Cody Johnston wrote:These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.


If a business server got it and it had logs, could you decrypt the log file and find the key?
~~I live in Wisconsin. Please, when replying to my posts,(If you include a time) , Post in Central Standard Time.Thanks, Colby.~~
User avatar
colbyiscute4e
 
Posts: 11
Joined: Mon Dec 16, 2013 4:29 pm
Reputation point: 0

Re: CryptoDefense

Postby Cody Johnston » Tue Jul 08, 2014 4:12 pm

colbyiscute4e wrote:When you say decrypter, do you mean it decrypts the files?


Yes, the same one that the author supplies to victims

colbyiscute4e wrote:Does anyone know how to tell the old one from the new one?


Download Fabian's uploaded sample, and my original uploaded sample and look for yourself ;)

colbyiscute4e wrote:And Where is the private key on the system?


http://technet.microsoft.com/en-us/libr ... 62112.aspx

colbyiscute4e wrote:If a business server got it and it had logs, could you decrypt the log file and find the key?


If you had a pcap maybe.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69


Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests