Use CryptoLocker to train your incident response team (part 2)

Train your incident response team

This is the second part in a post describing how to train your team for incident response and incident investigations.

The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.


The e-mail contained one attachment : Unzipping the file resulted in a .scr file.

-rw-rw-r--  1 koenvanimpe  staff   49152 Feb  4 16:45 franz_krukenberg_str_10_25436_uetersen.scr
-rw-rw-r--  1 koenvanimpe  staff   32761 Feb  4 16:45

The sha1 is

99920e112a522e2d1b409e00330022f705c2fec7  franz_krukenberg_str_10_25436_uetersen.scr

MD5 is

e4b72ce8ea569b12eabf0aef6ed81615  franz_krukenberg_str_10_25436_uetersen.scr

I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample.


According to Virustotal the file gets recognized by most anti-virus vendors as a CryptoLocker virus.

Symantec describes CryptoLocker.F as :

Trojan.Cryptolocker.F is a Trojan horse that encrypts files on the compromised computer and then prompts the user to purchase a key in order to decrypt them.

CryptoLocker is known as ransomware. The timing in the post by F-Secure describing a rise in CTB-Locker infections corresponds with the time the e-mail was received.

With the use of the Linux command strings I could see that it uses a number of DLLs


The certcli.dll file is a Microsoft DLL that provides communications between a client or intermediary application and certificate services.

The WTSAPI32.dll file is a Microsoft DLL that contains the application programming interface (API) functions that enable application programs to (1) manage terminal services, (2) set and retrieve user configuration information that is specific to terminal services, (3) use terminal services virtual channels, and more, in a terminal services environment.

The SHLWAPI.dll is a Microsoft DLL that is a library which contains functions for UNC and URL paths, registry entries, and color settings.

The file cmpbk32.dll is a Microsoft DLL file which is responsible for a component to Microsoft Connection Manager Phonebook.

With this information we now know that this application has capabilities for

  • working with a certificate service
  • managing remote services
  • working with UNC and URL paths
  • working with registry settings
  • connecting with the Microsoft Connection Manager Phonebook

These capabilities are confirmed in the remainder of the strings output with calls to


Strings also revealed the use of a library ddi32.dll. As far as I could verify this is a library that helps with drawing. It’s most probably used to build up the notice for the end user that they have a “problem”.

Information before executing the file

When I copied the files to a Windows machine I immediately noticed that the icon of the file mimics to be a Word document. This is done to lure the user into opening the file.


Windows Sandbox – XP

I then decided to execute the file in a virtual machine, a Microsoft Windows XP-SP2. The first step would be to execute it in a VM without external network connectivity. I captured all the network traffic with /Applications/VMware in a pcap file.

./vmnet-sniffer -w xp.pcap vmnet1

Opening the file reveals indeed a Word document with the title MARITIME ARCHIVES & LIBRARY Information Sheet 15 ELDER DEMPSTER & COMPANY.


This is a document from the National Museums of Liverpool in the United Kingdom.

After opening the Word document nothing seems to happen. I did not see any network activity at first. After closing the document there was a process that kept running in the background.



It took a couple of minutes before I could see any “unusual” network requests.

Although Dshell from the US Army provides an easy interface for tracking network activity in a pcap file I decided to use tshark to brush up my knowledge on tshark expressions.

Network capture

There are only two obvious ways network connections from basic malware can happen. Either it connects directly to a hardcoded list of IPs or it does a DNS lookup for a list of hardcoded domains. When I looked at the pcap data I could not see any connections to “unsual” IPs. So I ran tshark against the pcap file to extract the DNS requests and sort them.

tshark -r ../xp.pcap -Y "dns.flags.response == 0" -T fields -e | sort | uniq -c

Note that on some Linux flavors you have to use -R instead of -Y.

This resulted in a number of domains mostly involving normal Windows operations. Some of the domains however had nothing to do with the network behavior of a normal Windows computer. In this case the domains,, and are queried several times.


According to Symantec, the CryptoLocker virus downloads its message from a number of command and control servers. I assumed that the domains,, and were used by this version of CryptoLocker to download its additional information.

The domains are listed in a number of malware analysis by Sophos : Troj/Agent-ALLW and Troj/Agent-ALMD. The detection date is in line with the date the infected e-mail was received.

The domain is registered to somone in Spain. At the time of writing, it resolved to This is an IP in Spain. The website of returns a page (in Spanish) of a sports bicycle vendor.


Updated Date: 2011-05-03T12:58:28.00Z
Creation Date: 2011-05-03T20:58:00.00Z
... has address
inetnum: -
netname:        ES-AXARNET-NET
descr:          AXARNET, Nodo en Madrid
country:        ES

The domain is registered to somone in Spain. At the time of writing, it resolved to This is an IP in Spain. It’s no longer possible to access the website at You now get a 403 “You don’t have permission to access / on this server.” message.

Domain Name:
Created On: 2006-06-23 17:26:54 GMT
Last Updated On: 2014-06-23 09:28:04 GMT
Registrant Name: Marc
... has address
inetnum: -
netname:        FILNET-2
descr:          Filnet static IP addresses for Internet servers
country:        ES

The domain is registered via a registrar in Belize. At the time of writing, it resolved to This is an IP in Holland (belonging to Leaseweb). The webserver of now returns a page with “Page is blocked”. This is a good indication the hoster is aware of the problem.

created:               2005.01.14 14:36:58
last modified:         2015.02.16 11:45:46
renewal date:          2016.03.15 14:36:58
Abc Hosting Ltd.
#7B Neal Pen Road,
Belize City
... has address
inetnum: -
netname:        LEASEWEB
descr:          LeaseWeb

The domain is registered to somone in the US. At the time of writing, it resolved to This is an IP in the US belonging to Job Options in California. According to the website it is a site of a subsidiary of Job Options Inc, a provider of commercial linen and laundry service for the hospital and healthcare industry. Because of the presence of the “widget area” and blocks I guess that the website is either not finished or abanded. The website is powered by WordPress and reading the HTML source with “/wp-includes/js/jquery/jquery.js?ver=1.6.1” indicate this might be an outdated version of WordPress. Vulnerable WordPress sites are often used in malware campaigns as command and control servers (see for example the CryptoPHP incident)


Status: clientUpdateProhibited
Updated Date: 23-dec-2014
Creation Date: 30-dec-2010
Expiration Date: 30-dec-2015
Agundis, Juan Carlos
Job Options Inc.
3465 Camino Del Rio South Suite 300
San Diego, CA 92108
... has address

Out of these four domains, the Polish domain ( has whois data that has been recently updated.

Similar to the information in the e-mail headers there are sources in different countries. Spain ( Spain Spain (Catalunya) ( Spain Poland ( Holland United States ( United States


My experiment so far described how this version of CryptoLocker works. I prevented it from actually starting what it is supposed to do by blocking the network access. The next steps involve having it run in a fully networked environment and observe what happens.

Blocking the network access to the command and control servers does not prevent CryptoLocker from starting but it prevents it from doing direct harm to your documents. This is a good reason for having a network setup that blocks outgoing connections to blacklisted domains. Everything depends of course on the quality of the blacklist. It certainly is not a perfect solution but an extra layer of defense.

Also note that some malware checks if it’s being run in a virtualization environment. This was not the case for this sample which made it easier for me to do the analysis.

If you only consider the geographical location and language then the source of this malware could be something Spanish or Central America based. This is highly speculative and it could also be rather a coincidence. Two command and control servers are located in Spain and registered with a Spanish or Catalonian TLD. The registration of one command and control server is in Belize (Central America). The sender IP is in Mexico. One of the IPs of a command and control server is in California (near Mexico).


Based on the information from part 1 and this part we can deliver simple to use IOCs :

  • Filter attachments with a name similar to
  • Reject SMTP connections from
  • Block network traffic to
  • Block network traffic to
  • Block network traffic to
  • Block network traffic to

Run in a networked VM

The last part of this post describes the behavior of this virus an a networked VM.

4 thoughts on “Use CryptoLocker to train your incident response team (part 2)

  1. Thanks for this interesting blog! Wonder if you could send me the pcap you captured using vmnet-sniffer. Appreciate it.

  2. Spot on with this write-up, I really feel this website needs far
    more attention. I’ll probably be back again to read through more,
    thanks for the information!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.