2016-02-10 - Archeology

Cryptowall son of Borracho (Flimrans) ?

Lately I received multiple questions about connection between Reveton and Cryptowall.
I decided to have a look.

A search in ET Intelligence portal at domains from Yonathan's Cryptowall Tracker

ET Intelligence search on Specspa .com
show that the first sample ET has talking with it is :
e2f4bb542ea47e8928be877bb442df1b  2013-10-20

A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)

ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexions
ET Intelligence : Associated alert pointing at Cryptowall.

A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :

NSFW://www.threatglass .com/malicious_urls/sunporno-com

Himan EK dropping Cryptowall 2013-10-20
captured by ThreatGlass

With the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :
(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )

Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :

Interestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :

Flimrans US 2013-10-03

What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :

Flimrans ES 2013-10-03

The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).

Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.
[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]

The compromised server storing the first design Blob used by cryptowall
used to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).

So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.

Files : Items mentionned here. (password is malware)

Read More:
HiMan Exploit Kit. Say Hi to one more - 2013-10-02
Flimrans Affiliate : Borracho - 2013-10-08