Use CryptoLocker to train your incident response team
An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?
IOCs or Indicators of Compromise is a set of data that allows your abuse team to defend against computer intrusions.
The information found through this analysis is not new. It’s mostly meant as a demonstration of a thought process for analyzing a real world computer security incident.
I picked a random mail from the work mailbox with an “interesting” attachment. It’s only after running the attachment in a sandbox that I knew it was a version of CryptoLocker.
The message containing the CryptoLocker was received on 4-February 2015. The analysis was done between the 20th and 22nd February 2015.
I first start with analyzing the e-mail. Not everything is relevant for incident response but it does provide the necessary information for setting the scope.
The second part of this analysis will focus on how the CryptoLocker virus behaves and how to extract additional IOCs.
The virus arrives as an attachment to an e-mail
I got a message with subject franz krukenberg str. 10 25436 uetersen coming from “Corrinne Vayon” <email@example.com>. Below are some of the more interesting e-mail headers. I replaced the e-mail domain with c.d and the receiving host with a.b. The host a.b.c.d is the last receiving e-mail server.
Return-Path: <firstname.lastname@example.org> ... Received: from mgtravelpanama.com ([22.214.171.124]) by a.b.c.d. (8.14.4/8.14.4/Debian-4) with SMTP id t14GkkfG007031 for <email@example.com>; Wed, 4 Feb 2015 17:46:48 +0100 ... Message-ID: <firstname.lastname@example.org> Date: Wed, 04 Feb 2015 10:47:00 -0600 From: "Corrinne Vayon" <email@example.com> X-Mailer: Encumbered v2.94 ... Subject: franz krukenberg str. 10 25436 uetersen
The message pretended to be from someone in Germany and contained one attachment, a zipfile with as name my e-mail address (the firstname.lastname@example.org)
Content-Type: application/zip; name="email@example.com" Content-transfer-encoding: base64 Content-Disposition: attachment; filename="firstname.lastname@example.org"
Mail relay information
If we take a closer look at the e-mail headers we notice that the last mail relay before we (a.b.c.d) receive the mail is mgtravelpanama.com ([126.96.36.199]. The IP address is the only thing that we can fully trust, the domain name is what is set as the HELO of the relaying server. The level of trust you can put in a HELO message depends on the configuration of the receiving mailserver. Some mailservers check if the HELO or EHLO hostname has an A or MX record, other mailservers do not do this check.
The IP 188.8.131.52 belongs to Universidad Nacional Autonoma de Mexico in Mexico.
inetnum: 132.248/16 ... owner: Universidad Nacional Autonoma de Mexico
The domain used in the HELO of the relay server is mgtravelpanama.com. Although the HELO message should not be fully trusted, it’s still worth having a look at the registration details. This domain is registered in Panama to Sair Sanmartin. It resolves to 184.108.40.206 which is an IP assigned to Confluence Networks Inc in the Texas, US.
Domain Name: MGTRAVELPANAMA.COM ... Registrant Name: Sair Sanmartin Registrant Organization: neutralcargo Registrant Street: rio abajo av la pulida edf rio plaza Registrant Postal Code: 507 Registrant Country: PA ... Net Range 220.127.116.11 - 18.104.22.168 Origin AS AS32787 AS40034 Customer Confluence Networks Inc. (C03095996) Comments Co-located at Data Foundry Austin TX.
The domain was hacked in 2014-05-14 09:12:37 according to Zone-H.
The sender belongs to the domain omerbektas.com. This domain has been registered in Turkey.
Domain Name: OMERBEKTAS.COM Updated Date: 2015-01-05T13:12:49Z Creation Date: 2013-12-08T19:19:03Z Registrant Name: Domain Borsasi Registrant Country: TR
According to the screenshots this domain has undergone a number of changes. The domain was set in 2006 as a placeholder and having a basic site for a fine arts and architecture faculty in 2007. The site seemed to have been renewed in 2009 and was available until 2011. The screenshots show us the domain became available again in 2014. The current registration “Domain Borsasi” means it’s available for purchase (according to Google Translate this is Turkish for ‘Domain Stock Exchange’). One thing to notice is that the last whois update was done early 2015.
The domain now resolves to 22.214.171.124, a Turkish IP assigned to Sadecehosting.
There are a number of references to an Mr. Omer BEKTAS (+ 90 532 4058339) at wakoweb covering something that has to do with kickboxing.
The From name is Corrinne Vayon. A Google search returns three hits, all in the US with two of them in Florida. There’s nothing useful to learn from this.
- 321-274-8796 – Corrinne Vayon, Ehrler Ln, Winter Park, Florida
- 662-292-1566 – Corrinne Vayon, Brookside Dr, Senatobia, Mississippi
- 352-854-9441 – Corrinne Vayon, NW 40th St, Ocala, Florida
The e-mailer is Encumbered v2.94. I could not find anything worth noting for this mailer.
Message body information
The last thing we can look at it is the content of the mail itself. It pretends to come from Germany, from a town called Uetersen, somewhere in the north of Germany.
The full address is Franz Krukenberg Str. 10 25436 Uetersen. This address belongs to a metal processing company, Metallbau Breutigam GmbH. They have a website that is hosted in Germany at Strato Rechenzentrum, Berlin.
breutigam.de has address 126.96.36.199 ... inetnum: 188.8.131.52 - 184.108.40.206 netname: STRATO-RZG-KA org: ORG-SRA1-RIPE descr: Strato Rechenzentrum, Berlin country: DE
Similar to the From name, this address seems to be randomly chosen and there’s nothing really useful we can learn from this.
The data in the e-mail header returned some interesting results. There are no country boundries on the Internet. I’m well aware that some of the information has been spoofed but only looking at the e-mail headers shows that Mexico, Panama, United States, Turkey and Germany are involved. It’s not difficult to image that incidents that cover different countries are a nightmare for law enforcement agencies.
|Sender IP address||220.127.116.11||Mexico||Universidad Nacional Autonoma de Mexico|
|Sender HELO||mgtravelpanama.com||Panama||Sair Sanmartin ; neutralcargo|
|Sender HELO resolve||18.104.22.168||United States||Confluence Networks Inc|
|Sender From||omerbektas.com||Turkey||Domain Borsasi|
|Sender From||Mr. Omer BEKTAS||Turkey||http://www.wakoweb.com/Pdf/10614.pdf|
|Sender From IP||22.214.171.124||Turkey||Sadecehosting|
|Postal address sender||Franz Krukenberg Str. 10 25436 Uetersen||Germany||–|
The use of the domain omerbektas.com shows us that attackers reuse abandoned domains, probably hoping that a good (mail-)reputation of these domains allow them easier access to your mailbox.
Peculiar things to notice
The analysis of the e-mail headers learns us that we should block (or at least look closely) at e-mails coming from 126.96.36.199 or having the HELO mgtravelpanama.com or having the FROM set to @omerbektas.com.
|mgtravelpanama.com||Hacked in 2014-05-14 09:12:37|
|omerbektas.com||No longer used after 2014-02-09|
|omerbektas.com||Last change at 2015-01-05|
|attachment||The attachment has a name that corresponds to the receiving e-mail adddress|