Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CryptoWall: How It Works

1,405 views

Published on

Malware analysis of CryptoWall, ransomware with the ability to encrypt user's data with encryption and how Forensic tools manage with the malware.

Published in: Technology
  • Be the first to comment

CryptoWall: How It Works

  1. 1. CryptoWall 3.0: How It Works Term Project CS690 Network Security Tandhy Simanjuntak
  2. 2. History Infection Tools Analysis Conclusion Agenda
  3. 3. History
  4. 4. File-encrypting ransomware Q1 2014 (Nov 2013) [5] CryptoClone, CryptoDefense [5] Encrypted environments •TOR network •Bitcoin CryptoWall
  5. 5. Infection
  6. 6. Infection attachments links downloadrequest (a) (b) Browser exploit kits Drive-by download
  7. 7. Infection Link
  8. 8. Infection USPS – Your package is available for pickup (Parcel 173145820507) Fwd: IMG01041_6706015_m.zip FW: Invoice <random number> My resume ADP payroll: Account Charge Alert New Voicemail Message Important – attached form Important – New Outlook Settings FW: Last Month Remit Scan Data McAfee Always On Protection Reactivation New contract agreement Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer Payroll Invoice Payment Overdue – Please respond Email
  9. 9. Infection Upatre downloader • June 5th 2014: largest single-day infection • Legitimate cloud hosting: Dropbox, Cubby, and MediaFire • Banking Trojan: Gameover Zeus, Dyre
  10. 10. Tools
  11. 11. Tools Dynamic Analysis • Process Explorer • Process Monitor • Wireshark • RegShot / captureBAT Static Analysis • REMnux: pyew, Strings, pescanner, densityScout, trid • Hex Editor
  12. 12. Tools Forensic • Scalpel • EnCase Forensic Hardware • Host: Kali Linux • VM: Windows XP
  13. 13. Analysis
  14. 14. Analysis Create files • Cryptowall.exe  C:Documents and Settings<user>%AppData%<random name>.exe" • Kdtsndl.exe  C:Documents and Settings<user>%AppData%key.dat • Kdtsndl.exe  C:Documents and Settings<user>Desktoplog.html Dynamic Analysis
  15. 15. Key.datAnalysis 114GCa7RevREjed65TRCepdLPPpbxh7Pa4 Create Files
  16. 16. Analysis Key.dat
  17. 17. Analysis Creates registry values HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe" HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce*mscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe"
  18. 18. Analysis Deletes original • Deletes from original location : Desktop Delete shadow copies
  19. 19. Analysis Encryption 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 CryptoAPI 1 2 3 4 New .PDF file
  20. 20. Analysis Encryption Moves new .pdf file  .pdf.ecc file • Loads new .pdf file • Creates .pdf.ecc file • Delete new .pdf file
  21. 21. .3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2 .7z* .crt .flv .ltx .ods .py, .py* .snx .wma .ai* .crw .fos .lvl .odt .qdf .sql .wmo .apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv .arw .csv .fsh .m3u .p12 .r3d .srf .wpd .avi .das .gdb .m4a .p7b .raf .srw .wps .bar .db, .db* .gho .map .p7c .rar .sum .x3f .bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8 .bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk .bc7 .dmp .itm .mef .pdf .re4 .t13 .xls .big .dng .iwd .mlx .pef .rim .tax .xlsx .bik .doc .iwi .mov .pem .rtf .tor .xxx .bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip .bkp .dwg .jpg .ncf .png .rwl .upk .bsa .dxg .js, .js* .nrw .ppt .sav .vcf .cas .epk .kdb .ntl .pptx .sb, .sb* .vdf .cdr .eps .kdc .odb .psd .sid .vpk .cer .erf .kf, .kf* .odc .psk .sie .vtf Analysis Encryption
  22. 22. Analysis Encryption Internet independent Encrypted file •Modules •File signature
  23. 23. Normal file creation • 21 modules Cryptowall file creation • 50 modules • Windows’ cryptographic modules: crypt32.dll Analysis Encryption Encrypted File Modules
  24. 24. Analysis Encryption Encrypted File Modules
  25. 25. Analysis Encryption Raw data pattern • Beginning / header • End / footer Encrypted File File signature File type Signature Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1 JPG file FF D8 FF E0 | FF D9 PDF file 25 50 44 46
  26. 26. Un-encrypted .docx file Encrypted .docx file Analysis Encryption Encrypted File File signature
  27. 27. Un-encrypted .pdf file Encrypted .pdf file Analysis Encryption Encrypted File File signature
  28. 28. Analysis Network • ipinfo.io • 7tno4hib47vlep5o.42kjb11.net • 7tno4hib47vlep5o.42kjb12.net • 7tno4hib47vlep5o.tor2web.blutmagie.de • 7tno4hib47vlep5o.tor2web.fi
  29. 29. Analysis Network 7tno4hib47vlep5o.42kjb11.net
  30. 30. Analysis Static Analysis REMnux • REMnux: pyew, Strings, pescanner, densityScout, trid
  31. 31. Analysis Forensic Read .pdf  saves as new .pdf Moves new .pdf  .pdf.ecc • Deletes new .pdf • Creates .pdf.ecc Forensic tools • Scalpel, EnCase Forensic
  32. 32. Analysis Forensic 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 Write 1 2 3 New .PDF file Delete Load
  33. 33. Analysis Forensic xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 New .PDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 PDF file
  34. 34. Conclusion
  35. 35. Ransomware • TOR network • Bitcoin • No internet • Unable to carve Email • Attachment • Link Further Analysis • Dynamic : debugger • Static: REs Conclusion
  36. 36. Be Paranoid !
  37. 37. Reference 1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/ 2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/ 3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall- 2015-03-23.43940/ 4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html 5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorks site: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/ 6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/

×