2015-06-09 - CRYPTOWALL 3.0 RANSOMWARE INFECTIONS FROM EMAIL CONTINUE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-06-09-CryptoWall-3.0-ransomware-distributed-through-email.pcap.zip
• 2015-06-09-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• The campaign using Yahoo email addresses to deliver CryptoWall 3.0 ransomware continues.
• First blogged about it on 2015-06-04 ( link ).  See that blog entry for more details.
• This wave is using redirects to Google Drive (docs.google[.]com) to send the malware.
• Bitcoin address for ransom payment is still 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag (same as before).

 

DETAILS

EMAILS SEEN TODAY:

• 2015-06-09 15:19:48 CST - Subject: Re:Resume - From: arniipf867@yahoo[.]com
• 2015-06-09 15:18:23 CST - Subject: Re:Resume - From: dalstonstukel@yahoo[.]com
• 2015-06-09 15:11:50 CST - Subject: Re:Resume - From: bryantleon990@yahoo[.]com
• 2015-06-09 15:06:14 CST - Subject: My resume - From: bonneramie@yahoo[.]com
• 2015-06-09 14:15:24 CST - Subject: My resume - From: lisandradelvy@yahoo[.]com
• 2015-06-09 13:56:33 CST - Subject: My resume - From: blondellemcclelland@yahoo[.]com
• 2015-06-09 09:09:02 CST - Subject: Re:Resume - From: myrnajmr242@yahoo[.]com
• 2015-06-09 08:50:57 CST - Subject: My resume - From: agnacry623@yahoo[.]com
• 2015-06-09 08:42:26 CST - Subject: Re:My resume - From: karieqwx157@yahoo[.]com
• 2015-06-09 08:37:18 CST - Subject: Resume - From: mateldaimr269@yahoo[.]com
• 2015-06-09 08:27:59 CST - Subject: Resume - From: brnabybkl345@yahoo[.]com
• 2015-06-09 08:01:56 CST - Subject: Re:My resume - From: constantaqwp988@yahoo[.]com
• 2015-06-09 07:18:10 CST - Subject: Resume - From: janithbhh097@yahoo[.]com
• 2015-06-09 07:01:40 CST - Subject: Resume - From: ignazlbp335@yahoo[.]com

 

ATTACHMENTS:

• my_resume.zip

 

EXTRACTED FILES FROM THE ATTACHMENTS (ALL HTML):

• resume1015.html
• resume1140.html
• resume2707.html
• resume3867.html
• resume4179.html
• resume4356.html
• resume4782.html
• resume5234.html
• resume5268.html
• resume6321.html
• resume6420.html
• resume6463.html
• resume6980.html
• resume7621.html

 

EXTRACTED HTML FILES HAVE IFRAME LINKS TO:

• topfinish[.]eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=902
• topfinish[.]eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=701
• topfinish[.]eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=523
• topfinish[.]eu - GET /wp-content/themes/meteor/core/resume/resume.php?id=457
• nobiom[.]tv - GET /wp-content/themes/nobiomtv/lib/resume/resume.php?id=988
• nobiom[.]tv - GET /wp-content/themes/nobiomtv/lib/resume/resume.php?id=794
• nicefilm[.]net - GET /wp-content/themes/dt-the7/resume/resume.php?id=987
• nicefilm[.]net - GET /wp-content/themes/dt-the7/resume/resume.php?id=622
• nicefilm[.]net - GET /wp-content/themes/dt-the7/resume/resume.php?id=561
• konuralpticaret[.]com - GET /wp-content/themes/theretailer/resume/resume.php?id=908
• konuralpticaret[.]com - GET /wp-content/themes/theretailer/resume/resume.php?id=846
• konuralpticaret[.]com - GET /wp-content/themes/theretailer/resume/resume.php?id=444
• konuralpticaret[.]com - GET /wp-content/themes/theretailer/resume/resume.php?id=414
• konuralpticaret[.]com - GET /wp-content/themes/theretailer/resume/resume.php?id=307

 

CHECKING SOME OF THE ABOVE LINKS GAVE ME 200 OK REPONSES WITH HTTPS LINKS TO THE FOLLOWING GOOGLE URLS:

• (https) docs.google[.]com - GET /uc?export=download&id=0B-HWsX8wPhPFQzJsSmYtdERrZ1k
• (https) docs.google[.]com - GET /uc?export=download&id=0B-HWsX8wPhPFVTNpNTJneHJKazQ
• (https) docs.google[.]com - GET /uc?export=download&id=0B-HWsX8wPhPFZDk2dms3c2plZk0

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM DOCS.GOOGLE[.]COM LINKS:

File name:  my_resume_pdf.zip
File size:  209,136 bytes
MD5 hash:  29e28ae8cca81d223ef3fd24ca1d3d68
Detection ratio:  13 / 57
First submission to VirusTotal:  2015-06-09 19:21:32 UTC

 

EXTRACTED MALWARE (CRYPTOWALL 3.0 RANSOMWARE):

File name:  my_resume_pdf_id_3551-5411-241.scr
File size:  270,336 bytes
MD5 hash:  7d231a2cebfcadb783377ab17fd2ef2f
Detection ratio:  13 / 57
First submission to VirusTotal:  2015-06-09 18:42:54 UTC

 

Click here to return to the main page.