A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27159  by Blaze
 Thu Nov 05, 2015 1:54 pm
Two more attached + 3 JS files it uses to download CryptoWall 4.0.
Attachments
(475.71 KiB) Downloaded 159 times
 #27202  by Blaze
 Tue Nov 10, 2015 3:32 pm
Report on CryptoWall 3.
The Cyber Threat Alliance (CTA) is a group of leading cybersecurity solution providers who have come together to share threat intelligence on advanced attacks, their motivations, and the tactics of the malicious actors behind them. Together, members of the CTA conducted joint research into the CryptoWall version 3 threat, which impacted hundreds of thousands of victims, and resulted in over $325 million in damages worldwide.
http://cyberthreatalliance.org/cryptowall-report.pdf (PDF)
 #27278  by sysopfb
 Fri Nov 20, 2015 7:09 pm
Signed Cryptowall binary
https://www.virustotal.com/en/file/1d39 ... /analysis/


COMODO cert
SN: ?00 94 be 4a fd 1f af 6f 31 4a 80 59 de c5 7d 51 7f

Name: Generator Media + Analytics, Inc.
Email: development@tuta.io
Signing Time: ?Friday, ?November ?20, ?2015 5:36:53 AM


Campaign Crypt5002

C2:
Code: Select all

radyotutkal.com/wp-content/plugins/wp-db-backup-made/GOvWnl.php
westburyim.com/wp-content/themes/twentyeleven/P8ND70.php
noida23.in/wp-content/plugins/wp-db-backup-made/gqZFjh.php
dandgpartners.co.uk/wp-content/plugins/wp-db-backup-made/P_S45k.php
suxova.com/wp-content/plugins/wp-db-backup-made/P8p1r3.php
nwlabs.co.uk/wp-content/plugins/wp-db-backup-made/xNLBTr.php
florencebeauty.pl/themes/twentyeleven/1CZuyi.php
whiteberry.pl/plugins/wp-db-backup-made/oIxlPQ.php
djmfr.com/wp-content/plugins/wp-db-backup-made/mFGJzL.php
laurahonders.nl/wp-content/plugins/wp-db-backup-made/Xe07qS.php
minzufa.com/wp-content/plugins/wp-db-backup-made/zoMLq3.php
sofiaki.com/wp-content/plugins/wp-db-backup-made/pZ_cus.php
school.expert100.info/wp-content/plugins/wp-db-backup-made/aSy8WI.php
theindonesiapost.com/wp-content/plugins/wp-db-backup-made/rE2SeJ.php
octordigital.com.br/wp-content/plugins/Akismet3/VrTHty.php
komnasperempuan.or.id/en/wp-content/themes/twentytwelve/f3UxDT.php
nothinglikewater.com/wp-content/plugins/wp-db-backup-made/9KBtVe.php
querubimsaude.com.br/wp-content/plugins/wp-db-backup-made/_fSMFm.php
tdrc.org.zm/wp-content/plugins/wp-db-backup-made/6nNYbv.php
soslevego.com/wp-content/plugins/wp-db-backup-made/zA6tnJ.php
falconprecision.co.uk/wp-content/plugins/wp-db-backup-made/Pr9_f1.php
lawcost.ch/wp-content/plugins/wp-db-backup-made/S19WG8.php
pacinimedicina.it/wp-content/plugins/wp-db-backup-made/9UX1c_.php
artezan.pl/wp-content/plugins/wp-db-backup-made/tv5gGT.php
hongkong.mfa.gov.mn/wp-content/plugins/link-sort/nYExyL.php
talonexec.com/wp-content/plugins/wp-db-backup-made/JTwHpI.php
siddharthbunglows.com/wp-content/themes/twentythirteen/5Q4rte.php
yapikrediborcsorgulama.com/wp-content/plugins/wp-db-backup-made/h6J0Ns.php
thomkaz.com/wp-content/plugins/wp-db-backup-made/f_eVyA.php
derwentbc.com/wp-content/plugins/wp-db-backup-made/2CMS_v.php
fgxblog.com/wp-content/plugins/wp-db-backup-made/PVJtuo.php 
Attachments
pw: infected
(320.15 KiB) Downloaded 96 times
 #27290  by peters
 Mon Nov 23, 2015 6:48 pm
Thank you again and we hope you share our view that your contribution helped to provide
has zip attached with javascript inside.

downloads http://1caclean.com/wp-includes/theme-compat/691.exe?1
SHA: e6a3740228180ceb5f2d6ea58c6a46c03af44e37f5f8b0a4ba6bcf635811a849

http://rgkschool.com/modules/mod_ariima ... r/misc.php
Attachments
mail attachment
(1.27 KiB) Downloaded 77 times
 #27292  by sysopfb
 Tue Nov 24, 2015 1:03 am
peters wrote:
Thank you again and we hope you share our view that your contribution helped to provide
has zip attached with javascript inside.

downloads http://1caclean.com/wp-includes/theme-compat/691.exe?1
SHA: e6a3740228180ceb5f2d6ea58c6a46c03af44e37f5f8b0a4ba6bcf635811a849

http://rgkschool.com/modules/mod_ariima ... r/misc.php
That's TeslaCrypt

C2 list:
Code: Select all
hxxp://royaleventsbytrina.com/wp-content/themes/twentythirteen/misc.php
hxxp://rgkschool.com/modules/mod_ariimageslider/misc.php
hxxp://umrdafasojigi.org/wp-content/themes/the-cause/misc.php
hxxp://sreedhanwanthari.org/wp-content/themes/inzane/misc.php
hxxp://genesistut.com/misc.php
hxxp://geets.xyz/wp-content/themes/mobile/misc.php 
C2 list is base64 blobs in the unpacked binary

Appears to use PCHAR RC2Crypt::Encode from Carberp source code to encode the strings

8 byte IV
Hardcoded RC2 key

First four IV + b64_encode(RC2.encrypt(key, iv, data)) + Last four IV + B64 padding