Train your incident response team
This is the second part in a post describing how to train your team for incident response and incident investigations.
The e-mail contained one attachment : email@example.com. Unzipping the file resulted in a .scr file.
-rw-rw-r-- 1 koenvanimpe staff 49152 Feb 4 16:45 franz_krukenberg_str_10_25436_uetersen.scr -rw-rw-r-- 1 koenvanimpe staff 32761 Feb 4 16:45 franz_krukenberg_str_10_25436_uetersen.zip
The sha1 is
99920e112a522e2d1b409e00330022f705c2fec7 franz_krukenberg_str_10_25436_uetersen.scr 630c00846a0242e524d1c17507bf4db47c33b8bb franz_krukenberg_str_10_25436_uetersen.zip
e4b72ce8ea569b12eabf0aef6ed81615 franz_krukenberg_str_10_25436_uetersen.scr a0adb2ccf18f65a102c1c975e7e4baec franz_krukenberg_str_10_25436_uetersen.zip
I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample.
According to Virustotal the file gets recognized by most anti-virus vendors as a CryptoLocker virus.
Symantec describes CryptoLocker.F as :
Trojan.Cryptolocker.F is a Trojan horse that encrypts files on the compromised computer and then prompts the user to purchase a key in order to decrypt them.
CryptoLocker is known as ransomware. The timing in the post by F-Secure describing a rise in CTB-Locker infections corresponds with the time the e-mail was received.
With the use of the Linux command strings I could see that it uses a number of DLLs
cmpbk32.dll KERNEL32.dll SHLWAPI.dll msimg32.dll user32.dll certcli.dll WTSAPI32.dll
The certcli.dll file is a Microsoft DLL that provides communications between a client or intermediary application and certificate services.
The WTSAPI32.dll file is a Microsoft DLL that contains the application programming interface (API) functions that enable application programs to (1) manage terminal services, (2) set and retrieve user configuration information that is specific to terminal services, (3) use terminal services virtual channels, and more, in a terminal services environment.
The SHLWAPI.dll is a Microsoft DLL that is a library which contains functions for UNC and URL paths, registry entries, and color settings.
The file cmpbk32.dll is a Microsoft DLL file which is responsible for a component to Microsoft Connection Manager Phonebook.
With this information we now know that this application has capabilities for
- working with a certificate service
- managing remote services
- working with UNC and URL paths
- working with registry settings
- connecting with the Microsoft Connection Manager Phonebook
These capabilities are confirmed in the remainder of the strings output with calls to
PhoneBookEnumCountries PhoneBookCopyFilter CreateNamedPipe GetCurrentDirectory GetComputerName CreateDirectory UrlCanonicalize CAEnumNextCA CADeleteCA WTSLogoffSession WTSSendMessage
Strings also revealed the use of a library ddi32.dll. As far as I could verify this is a library that helps with drawing. It’s most probably used to build up the notice for the end user that they have a “problem”.
Information before executing the file
When I copied the files to a Windows machine I immediately noticed that the icon of the file mimics to be a Word document. This is done to lure the user into opening the file.
Windows Sandbox – XP
I then decided to execute the file in a virtual machine, a Microsoft Windows XP-SP2. The first step would be to execute it in a VM without external network connectivity. I captured all the network traffic with /Applications/VMware Fusion.app/Contents/Library/vmnet-sniffer in a pcap file.
./vmnet-sniffer -w xp.pcap vmnet1
Opening the file reveals indeed a Word document with the title MARITIME ARCHIVES & LIBRARY Information Sheet 15 ELDER DEMPSTER & COMPANY.
This is a document from the National Museums of Liverpool in the United Kingdom.
After opening the Word document nothing seems to happen. I did not see any network activity at first. After closing the document there was a process that kept running in the background.
It took a couple of minutes before I could see any “unusual” network requests.
There are only two obvious ways network connections from basic malware can happen. Either it connects directly to a hardcoded list of IPs or it does a DNS lookup for a list of hardcoded domains. When I looked at the pcap data I could not see any connections to “unsual” IPs. So I ran tshark against the pcap file to extract the DNS requests and sort them.
tshark -r ../xp.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c
Note that on some Linux flavors you have to use -R instead of -Y.
This resulted in a number of domains mostly involving normal Windows operations. Some of the domains however had nothing to do with the network behavior of a normal Windows computer. In this case the domains bikeceuta.com, cargol.cat, ppc.cba.pl and smartoptionsinc.com are queried several times.
25 bikeceuta.com 29 cargol.cat 30 ppc.cba.pl 9 smartoptionsinc.com
According to Symantec, the CryptoLocker virus downloads its message from a number of command and control servers. I assumed that the domains bikeceuta.com, cargol.cat, ppc.cba.pl and smartoptionsinc.com were used by this version of CryptoLocker to download its additional information.
The domain bikeceuta.com is registered to somone in Spain. At the time of writing, it resolved to 22.214.171.124. This is an IP in Spain. The website of bikeceuta.com returns a page (in Spanish) of a sports bicycle vendor.
Domain Name: BIKECEUTA.COM Updated Date: 2011-05-03T12:58:28.00Z Creation Date: 2011-05-03T20:58:00.00Z Registrant Name: ERNESTO VALERO MORONTA ... bikeceuta.com has address 126.96.36.199 ... inetnum: 188.8.131.52 - 184.108.40.206 netname: ES-AXARNET-NET descr: AXARNET, Nodo en Madrid country: ES
The domain cargol.cat is registered to somone in Spain. At the time of writing, it resolved to 220.127.116.11. This is an IP in Spain. It’s no longer possible to access the website at cargol.cat. You now get a 403 “You don’t have permission to access / on this server.” message.
Domain Name: cargol.cat Created On: 2006-06-23 17:26:54 GMT Last Updated On: 2014-06-23 09:28:04 GMT Registrant Name: Marc ... cargol.cat has address 18.104.22.168 ... inetnum: 22.214.171.124 - 126.96.36.199 netname: FILNET-2 descr: Filnet static IP addresses for Internet servers country: ES
The domain ppc.cba.pl is registered via a registrar in Belize. At the time of writing, it resolved to 188.8.131.52. This is an IP in Holland (belonging to Leaseweb). The webserver of ppc.cba.pl now returns a page with “Page is blocked”. This is a good indication the hoster is aware of the problem.
created: 2005.01.14 14:36:58 last modified: 2015.02.16 11:45:46 renewal date: 2016.03.15 14:36:58 ... REGISTRAR: Abc Hosting Ltd. #7B Neal Pen Road, Belize City Belize email:firstname.lastname@example.org ... ppc.cba.pl has address 184.108.40.206 ... inetnum: 220.127.116.11 - 18.104.22.168 netname: LEASEWEB descr: LeaseWeb
The domain smartoptionsinc.com is registered to somone in the US. At the time of writing, it resolved to 22.214.171.124. This is an IP in the US belonging to Job Options in California. According to the website www.smartoptionsinc.com it is a site of a subsidiary of Job Options Inc, a provider of commercial linen and laundry service for the hospital and healthcare industry. Because of the presence of the “widget area” and blocks I guess that the website is either not finished or abanded. The website is powered by WordPress and reading the HTML source with “/wp-includes/js/jquery/jquery.js?ver=1.6.1” indicate this might be an outdated version of WordPress. Vulnerable WordPress sites are often used in malware campaigns as command and control servers (see for example the CryptoPHP incident)
Registrant: Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Updated Date: 23-dec-2014 Creation Date: 30-dec-2010 Expiration Date: 30-dec-2015 Agundis, Juan Carlos email@example.com Job Options Inc. 3465 Camino Del Rio South Suite 300 San Diego, CA 92108 US ... smartoptionsinc.com has address 126.96.36.199 ... CIDR 188.8.131.52/28 Name JOB-OPTIONS
Out of these four domains, the Polish domain (ppc.cba.pl) has whois data that has been recently updated.
Similar to the information in the e-mail headers there are sources in different countries.
|184.108.40.206 (smartoptionsinc.com)||United States|
My experiment so far described how this version of CryptoLocker works. I prevented it from actually starting what it is supposed to do by blocking the network access. The next steps involve having it run in a fully networked environment and observe what happens.
Blocking the network access to the command and control servers does not prevent CryptoLocker from starting but it prevents it from doing direct harm to your documents. This is a good reason for having a network setup that blocks outgoing connections to blacklisted domains. Everything depends of course on the quality of the blacklist. It certainly is not a perfect solution but an extra layer of defense.
Also note that some malware checks if it’s being run in a virtualization environment. This was not the case for this sample which made it easier for me to do the analysis.
If you only consider the geographical location and language then the source of this malware could be something Spanish or Central America based. This is highly speculative and it could also be rather a coincidence. Two command and control servers are located in Spain and registered with a Spanish or Catalonian TLD. The registration of one command and control server is in Belize (Central America). The sender IP is in Mexico. One of the IPs of a command and control server is in California (near Mexico).
Based on the information from part 1 and this part we can deliver simple to use IOCs :
- Filter attachments with a name similar to firstname.lastname@example.org
- Reject SMTP connections from 220.127.116.11
- Block network traffic to bikeceuta.com
- Block network traffic to cargol.cat
- Block network traffic to ppc.cba.pl
- Block network traffic to smartoptionsinc.com