2015-02-06 - TRAFFIC PATTERN CHANGE FOR CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-02-06-CryptoWall-3.0-ransomware-traffic.pcap.zip
• 2015-02-06-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• Today, Bryan Manradge sent me a CryptoWall 3.0 ransomware sample that I took a look at.
• Traffic patterns from an infected VM are different than when I first saw CryptoWall 3.0 ransomware (link), so I'm documenting this in a blog entry.

• In today's sample, the bitcoin wallet address for the ransom payment is:  15WUYqKerTtxi4rUEmnakw5gRMkr3nZCQd

 

CHAIN OF EVENTS

TRAFFIC FROM THE INFECTED VM:

• 2015-02-06 21:01:27 UTC - port 80 - ip-addr[.]es - GET /
• 2015-02-06 21:01:27 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?z=7210v4v8anxeba69
• 2015-02-06 21:01:30 UTC - 83.209.243[.]10 port 80 - grycksbo[.]org - POST /img5.php?c=7210v4v8anxeba69
• 2015-02-06 21:01:34 UTC - 72.29.80[.]235 port 80 - dladesigninc[.]net - POST /img3.php?h=7210v4v8anxeba69
• 2015-02-06 21:01:39 UTC - 216.55.179[.]136 port 80 - marine-club[.]net - POST /img3.php?k=7210v4v8anxeba69
• 2015-02-06 21:01:59 UTC - 72.29.73[.]163 port 80 - captainblowdri[.]com - POST /img4.php?l=7210v4v8anxeba69
• 2015-02-06 21:02:03 UTC - 199.68.191[.]235 port 80 - caracolassn[.]com - POST /volunteer/img1.php?p=7210v4v8anxeba69
• 2015-02-06 21:02:09 UTC - 143.95.1[.]100 port 80 - dishwashersreviews[.]org - POST /img3.php?d=7210v4v8anxeba69
• 2015-02-06 21:02:14 UTC - 70.40.199[.]132 port 80 - credit-score-repair-help[.]com - POST /img4.php?a=7210v4v8anxeba69
• 2015-02-06 21:02:17 UTC - 189.38.80[.]72 port 80 - marivaldakariri[.]net - POST /img2.php?d=7210v4v8anxeba69
• 2015-02-06 21:02:22 UTC - 66.147.240[.]175 port 80 - cannedseniordogfood[.]com - POST /img2.php?i=7210v4v8anxeba69
• 2015-02-06 21:02:27 UTC - 107.161.186[.]165 port 80 - olx4u[.]com - POST /img5.php?o=7210v4v8anxeba69
• 2015-02-06 21:02:30 UTC - 67.222.49[.]225 port 80 - decisiondock[.]com - POST /img2.php?l=7210v4v8anxeba69
• 2015-02-06 21:02:34 UTC - 142.4.5[.]182 port 80 - ohiorealestateinvestor[.]com - POST /img1.php?s=7210v4v8anxeba69
• 2015-02-06 21:02:40 UTC - 219.94.217[.]199 port 80 - grid-japan[.]com - POST /img3.php?q=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 162.216.152[.]1 port 80 - cityep[.]net - POST /plus/img1.php?k=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 23.235.198[.]159 port 80 - homeoholistic[.]com - POST /img1.php?n=7210v4v8anxeba69
• 2015-02-06 21:02:48 UTC - 205.209.123[.]35 port 80 - dreamleaparchitects[.]com - POST /img4.php?h=7210v4v8anxeba69
• 2015-02-06 21:02:53 UTC - 103.24.244[.]107 port 80 - diemtichluy[.]net - POST /utf.php?a=7210v4v8anxeba69
• 2015-02-06 21:02:58 UTC - 109.200.196[.]187 port 80 - megasort[.]net - POST /img2.php?f=7210v4v8anxeba69
• 2015-02-06 21:03:03 UTC - 50.97.118[.]154 port 80 - crushtrack[.]com - POST /img2.php?a=7210v4v8anxeba69
• 2015-02-06 21:03:07 UTC - 198.58.92[.]228 port 80 - jake-angela[.]com - POST /img5.php?e=7210v4v8anxeba69
• 2015-02-06 21:03:12 UTC - 204.152.255[.]10 port 80 - dolidoligames[.]org - POST /img1.php?b=7210v4v8anxeba69
• 2015-02-06 21:03:18 UTC - 176.9.125[.]188 port 80 - butterflymedia[.]az - POST /img2.php?l=7210v4v8anxeba69
• 2015-02-06 21:03:21 UTC - 63.208.120[.]198 port 80 - downtowncarandlimousine[.]com - POST /img1.php?i=7210v4v8anxeba69
• 2015-02-06 21:03:27 UTC - 64.40.153[.]128 port 80 - gjswan[.]com - POST /img3.php?n=7210v4v8anxeba69
• 2015-02-06 21:03:31 UTC - 210.1.58[.]197 port 80 - cx-tractor[.]com - POST /img3.php?v=7210v4v8anxeba69
• 2015-02-06 21:03:33 UTC - 212.68.42[.]26 port 80 - dh-solutions[.]net - POST /img5.php?w=7210v4v8anxeba69
• 2015-02-06 21:03:41 UTC - 173.254.104[.]49 port 80 - funnyvideosonline[.]net - POST /img2.php?b=7210v4v8anxeba69
• 2015-02-06 21:03:45 UTC - 5.104.106[.]93 port 80 - hcegroup[.]net - POST /img5.php?y=7210v4v8anxeba69
• 2015-02-06 21:03:52 UTC - 190.107.176[.]7 port 80 - ingesof[.]com - POST /img4.php?r=7210v4v8anxeba69
• 2015-02-06 21:03:57 UTC - 122.155.167[.]122 port 80 - diversolve[.]com - POST /img2.php?z=7210v4v8anxeba69
• 2015-02-06 21:04:02 UTC - 5.44.216[.]13 port 80 - fotosiski[.]com - POST /img5.php?p=7210v4v8anxeba69
• 2015-02-06 21:04:11 UTC - 69.89.22[.]148 port 80 - californiainsuranceco[.]com - POST /img4.php?s=7210v4v8anxeba69
• 2015-02-06 21:04:14 UTC - 66.147.240[.]175 port 80 - superiorseoservices[.]com.au - POST /img5.php?t=7210v4v8anxeba69
• 2015-02-06 21:04:17 UTC - 69.195.124[.]86 port 80 - dyounglawoffice[.]com - POST /img1.php?u=7210v4v8anxeba69
• 2015-02-06 21:04:23 UTC - 72.29.81[.]177 port 80 - domainithere[.]com - POST /tools/img2.php?d=7210v4v8anxeba69
• 2015-02-06 21:04:27 UTC - 95.173.181[.]231 port 80 - hisarins[.]com - POST /img4.php?w=7210v4v8anxeba69
• 2015-02-06 21:04:30 UTC - 108.166.74[.]204 port 80 - dropnwashlaundry[.]com - POST /wp-content/img1.php?k=7210v4v8anxeba69
• 2015-02-06 21:04:35 UTC - 50.87.169[.]19 port 80 - spindna[.]com - POST /img1.php?u=7210v4v8anxeba69
• 2015-02-06 21:04:43 UTC - 205.134.238[.]142 port 80 - almjobs[.]com - POST /img4.php?s=7210v4v8anxeba69
• 2015-02-06 21:04:46 UTC - 114.202.247[.]141 port 80 - dcmaulmembers[.]com - POST /img4.php?n=7210v4v8anxeba69
• 2015-02-06 21:04:59 UTC - 23.236.238[.]227 port 80 - creativoplasma[.]com - POST /televisa/img1.php?f=7210v4v8anxeba69
• 2015-02-06 21:05:05 UTC - 74.220.214[.]164 port 80 - preciousmetalsrarecoininvestments[.]com - POST /img2.php?x=7210v4v8anxeba69
• 2015-02-06 21:05:13 UTC - port 80 - ip-addr[.]es - GET /
• 2015-02-06 21:05:13 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?s=jl6nfgewttz
• 2015-02-06 21:05:16 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?t=6d3b0ihusgae5f3
• 2015-02-06 21:05:22 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?i=festbbqped032pvu
• 2015-02-06 21:05:25 UTC - 83.209.243[.]10 port 80 - grycksbo[.]org - POST /img5.php?h=festbbqped032pvu
• 2015-02-06 21:05:55 UTC - 72.29.80[.]235 port 80 - dladesigninc[.]net - POST /img3.php?a=festbbqped032pvu
• 2015-02-06 21:05:58 UTC - 216.55.179[.]136 port 80 - marine-club[.]net - POST /img3.php?o=festbbqped032pvu
• 2015-02-06 21:06:02 UTC - 72.29.73[.]163 port 80 - captainblowdri[.]com - POST /img4.php?y=festbbqped032pvu
• 2015-02-06 21:06:05 UTC - 199.68.191[.]235 port 80 - caracolassn[.]com - POST /volunteer/img1.php?d=festbbqped032pvu
• 2015-02-06 21:06:13 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?f=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:18 UTC - 83.209.243[.]10 port 80 - grycksbo[.]org - POST /img5.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:28 UTC - 72.29.80[.]235 port 80 - dladesigninc[.]net - POST /img3.php?a=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:31 UTC - 216.55.179[.]136 port 80 - marine-club[.]net - POST /img3.php?c=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:34 UTC - 72.29.73[.]163 port 80 - captainblowdri[.]com - POST /img4.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:36 UTC - 199.68.191[.]235 port 80 - caracolassn[.]com - POST /volunteer/img1.php?p=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:42 UTC - 143.95.1[.]100 port 80 - dishwashersreviews[.]org - POST /img3.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:45 UTC - 70.40.199[.]132 port 80 - credit-score-repair-help[.]com - POST /img4.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:50 UTC - 189.38.80[.]72 port 80 - marivaldakariri[.]net - POST /img2.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:54 UTC - 66.147.240[.]175 port 80 - cannedseniordogfood[.]com - POST /img2.php?o=lwxrp4v8nwo3jrms
• 2015-02-06 21:06:59 UTC - 107.161.186[.]165 port 80 - olx4u[.]com - POST /img5.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:09 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /1Y2a92Q
• 2015-02-06 21:07:11 UTC - 67.222.49[.]225 port 80 - decisiondock[.]com - POST /img2.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:15 UTC - 142.4.5[.]182 port 80 - ohiorealestateinvestor[.]com - POST /img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:17 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/style.css
• 2015-02-06 21:07:21 UTC - 219.94.217[.]199 port 80 - grid-japan[.]com - POST /img3.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/flags/us.png
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/flags/es.png
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/flags/it.png
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /picture.php?k=1y2a92q&f95dca8fd582559090731d3a2d4eaa24
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/rt.png
• 2015-02-06 21:07:23 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/rb.png
• 2015-02-06 21:07:23 UTC - 162.216.152[.]1 port 80 - cityep[.]net - POST /plus/img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:24 UTC - 23.235.198[.]159 port 80 - homeoholistic[.]com - POST /img1.php?t=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:24 UTC - 205.209.123[.]35 port 80 - dreamleaparchitects[.]com - POST /img4.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:27 UTC - 103.24.244[.]107 port 80 - diemtichluy[.]net - POST /utf.php?p=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:28 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/flags/fr.png
• 2015-02-06 21:07:28 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/flags/de.png
• 2015-02-06 21:07:28 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/lt.png
• 2015-02-06 21:07:28 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/lb.png
• 2015-02-06 21:07:35 UTC - 109.200.196[.]187 port 80 - megasort[.]net - POST /img2.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:39 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - POST /1Y2a92Q
• 2015-02-06 21:07:39 UTC - 50.97.118[.]154 port 80 - crushtrack[.]com - POST /img2.php?w=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:43 UTC - 198.58.92[.]228 port 80 - jake-angela[.]com - POST /img5.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:07:46 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - POST /1Y2a92Q
• 2015-02-06 21:07:52 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/style.css
• 2015-02-06 21:07:56 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/bitcoin.png
• 2015-02-06 21:07:56 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/lb.png
• 2015-02-06 21:07:56 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /img/button_pay.png
• 2015-02-06 21:08:01 UTC - 5.199.167[.]233 port 80 - paytoc4gtpn5czl2.optionstorpay22[.]com - GET /favicon.ico
• 2015-02-06 21:08:01 UTC - 204.152.255[.]10 port 80 - dolidoligames[.]org - POST /img1.php?g=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:06 UTC - 176.9.125[.]188 port 80 - butterflymedia[.]az - POST /img2.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:10 UTC - 63.208.120[.]198 port 80 - downtowncarandlimousine[.]com - POST /img1.php?z=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:16 UTC - 64.40.153[.]128 port 80 - gjswan[.]com - POST /img3.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:19 UTC - 210.1.58[.]197 port 80 - cx-tractor[.]com - POST /img3.php?y=lwxrp4v8nwo3jrms
• 2015-02-06 21:08:51 UTC - 212.68.42[.]26 port 80 - dh-solutions[.]net - POST /img5.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:02 UTC - 173.254.104[.]49 port 80 - funnyvideosonline[.]net - POST /img2.php?e=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:06 UTC - 5.104.106[.]93 port 80 - hcegroup[.]net - POST /img5.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:10 UTC - 190.107.176[.]7 port 80 - ingesof[.]com - POST /img4.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:17 UTC - 122.155.167[.]122 port 80 - diversolve[.]com - POST /img2.php?n=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:28 UTC - 5.44.216[.]13 port 80 - fotosiski[.]com - POST /img5.php?m=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:31 UTC - 69.89.22[.]148 port 80 - californiainsuranceco[.]com - POST /img4.php?k=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:35 UTC - 66.147.240[.]175 port 80 - superiorseoservices[.]com.au - POST /img5.php?q=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:39 UTC - 69.195.124[.]86 port 80 - dyounglawoffice[.]com - POST /img1.php?r=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:46 UTC - 72.29.81[.]177 port 80 - domainithere[.]com - POST /tools/img2.php?b=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:50 UTC - 95.173.181[.]231 port 80 - hisarins[.]com - POST /img4.php?v=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:53 UTC - 108.166.74[.]204 port 80 - dropnwashlaundry[.]com - POST /wp-content/img1.php?s=lwxrp4v8nwo3jrms
• 2015-02-06 21:09:58 UTC - 50.87.169[.]19 port 80 - spindna[.]com - POST /img1.php?c=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:05 UTC - 205.134.238[.]142 port 80 - almjobs[.]com - POST /img4.php?q=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:09 UTC - 114.202.247[.]141 port 80 - dcmaulmembers[.]com - POST /img4.php?h=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:12 UTC - 23.236.238[.]227 port 80 - creativoplasma[.]com - POST /televisa/img1.php?b=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:18 UTC - 74.220.214[.]164 port 80 - preciousmetalsrarecoininvestments[.]com - POST /img2.php?j=lwxrp4v8nwo3jrms
• 2015-02-06 21:10:27 UTC - 50.63.132[.]134 port 80 - grupobsm[.]net - POST /img4.php?n=bnis0m4bg5i

 

ALERTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• Various IP addresses over port 80 (see above) - ET TROJAN CryptoWall Check-in (sid:2018452)
• DNS query for: paytoc4gtpn5czl2.optionstorpay22[.]com - ET TROJAN Cryptowall 3.0 .onion Proxy Domain (sid:2020182)

 

PRELIMINARY MALWARE ANALYSIS

MALWARE

File name:  2015-02-06-CryptoWall-3.0-sample.exe
File size:  225,341 bytes
MD5 hash:  b188a7a9de9c101aed6ecf075daf19f2
Detection ratio:  5 / 55
First submission:  2015-02-06 17:12:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/74218a572992da05a1cb2a2ea155862ac280e2777ae902828071f7328beaa532/analysis/

 

SCREENSHOTS

 

website.

Click here to return to the main page.