SlideShare uma empresa Scribd logo

CryptoWall: How It Works

Transferir como PPTX, PDF
Tandhy Simanjuntak
Tandhy Simanjuntak

Malware analysis of CryptoWall, ransomware with the ability to encrypt user's data with encryption and how Forensic tools manage with the malware.

Tecnologia
1 de 39
CryptoWall 3.0: How It Works Term Project CS690 Network Security Tandhy Simanjuntak
History Infection Tools Analysis Conclusion Agenda
History
File-encrypting ransomware Q1 2014 (Nov 2013) [5] CryptoClone, CryptoDefense [5] Encrypted environments •TOR network •Bitcoin CryptoWall
Infection
Infection attachments links downloadrequest (a) (b) Browser exploit kits Drive-by download
Infection Link
Infection USPS – Your package is available for pickup (Parcel 173145820507) Fwd: IMG01041_6706015_m.zip FW: Invoice <random number> My resume ADP payroll: Account Charge Alert New Voicemail Message Important – attached form Important – New Outlook Settings FW: Last Month Remit Scan Data McAfee Always On Protection Reactivation New contract agreement Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer Payroll Invoice Payment Overdue – Please respond Email
Infection Upatre downloader • June 5th 2014: largest single-day infection • Legitimate cloud hosting: Dropbox, Cubby, and MediaFire • Banking Trojan: Gameover Zeus, Dyre
Tools
Tools Dynamic Analysis • Process Explorer • Process Monitor • Wireshark • RegShot / captureBAT Static Analysis • REMnux: pyew, Strings, pescanner, densityScout, trid • Hex Editor
Tools Forensic • Scalpel • EnCase Forensic Hardware • Host: Kali Linux • VM: Windows XP
Analysis
Analysis Create files • Cryptowall.exe  C:Documents and Settings<user>%AppData%<random name>.exe" • Kdtsndl.exe  C:Documents and Settings<user>%AppData%key.dat • Kdtsndl.exe  C:Documents and Settings<user>Desktoplog.html Dynamic Analysis
Key.datAnalysis 114GCa7RevREjed65TRCepdLPPpbxh7Pa4 Create Files
Analysis Key.dat
Analysis Creates registry values HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe" HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce*mscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe"
Analysis Deletes original • Deletes from original location : Desktop Delete shadow copies
Analysis Encryption 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 CryptoAPI 1 2 3 4 New .PDF file
Analysis Encryption Moves new .pdf file  .pdf.ecc file • Loads new .pdf file • Creates .pdf.ecc file • Delete new .pdf file
.3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2 .7z* .crt .flv .ltx .ods .py, .py* .snx .wma .ai* .crw .fos .lvl .odt .qdf .sql .wmo .apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv .arw .csv .fsh .m3u .p12 .r3d .srf .wpd .avi .das .gdb .m4a .p7b .raf .srw .wps .bar .db, .db* .gho .map .p7c .rar .sum .x3f .bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8 .bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk .bc7 .dmp .itm .mef .pdf .re4 .t13 .xls .big .dng .iwd .mlx .pef .rim .tax .xlsx .bik .doc .iwi .mov .pem .rtf .tor .xxx .bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip .bkp .dwg .jpg .ncf .png .rwl .upk .bsa .dxg .js, .js* .nrw .ppt .sav .vcf .cas .epk .kdb .ntl .pptx .sb, .sb* .vdf .cdr .eps .kdc .odb .psd .sid .vpk .cer .erf .kf, .kf* .odc .psk .sie .vtf Analysis Encryption
Analysis Encryption Internet independent Encrypted file •Modules •File signature
Normal file creation • 21 modules Cryptowall file creation • 50 modules • Windows’ cryptographic modules: crypt32.dll Analysis Encryption Encrypted File Modules
Analysis Encryption Encrypted File Modules
Analysis Encryption Raw data pattern • Beginning / header • End / footer Encrypted File File signature File type Signature Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1 JPG file FF D8 FF E0 | FF D9 PDF file 25 50 44 46
Un-encrypted .docx file Encrypted .docx file Analysis Encryption Encrypted File File signature
Un-encrypted .pdf file Encrypted .pdf file Analysis Encryption Encrypted File File signature
Analysis Network • ipinfo.io • 7tno4hib47vlep5o.42kjb11.net • 7tno4hib47vlep5o.42kjb12.net • 7tno4hib47vlep5o.tor2web.blutmagie.de • 7tno4hib47vlep5o.tor2web.fi
Analysis Network 7tno4hib47vlep5o.42kjb11.net
Analysis Static Analysis REMnux • REMnux: pyew, Strings, pescanner, densityScout, trid
Analysis Forensic Read .pdf  saves as new .pdf Moves new .pdf  .pdf.ecc • Deletes new .pdf • Creates .pdf.ecc Forensic tools • Scalpel, EnCase Forensic
Analysis Forensic 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 Write 1 2 3 New .PDF file Delete Load
Analysis Forensic xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 New .PDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 PDF file
Conclusion
Ransomware • TOR network • Bitcoin • No internet • Unable to carve Email • Attachment • Link Further Analysis • Dynamic : debugger • Static: REs Conclusion
Be Paranoid !
Reference 1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/ 2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/ 3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall- 2015-03-23.43940/ 4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html 5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorks site: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/ 6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/

Recomendados

Mongo Sharding: Case Study
Mongo Sharding: Case StudyMongo Sharding: Case Study
Mongo Sharding: Case StudyWill Button
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêterNetSecure Day
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tstat conext compressed
Tstat conext compressedTstat conext compressed
Tstat conext compressedDanilo Giordano
 
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...MongoDB
 
MongoDB and Spark
MongoDB and SparkMongoDB and Spark
MongoDB and SparkNorberto Leite
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 

Recomendados

Mongo Sharding: Case Study
Mongo Sharding: Case StudyMongo Sharding: Case Study
Mongo Sharding: Case StudyWill Button
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêterNetSecure Day
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tstat conext compressed
Tstat conext compressedTstat conext compressed
Tstat conext compressedDanilo Giordano
 
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...
Partner Webinar: MongoDB and Softlayer on Bare Metal: Stability, Performance,...MongoDB
 
MongoDB and Spark
MongoDB and SparkMongoDB and Spark
MongoDB and SparkNorberto Leite
 
Web-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsWeb-based Security Analysis Tool for Android Applications
Web-based Security Analysis Tool for Android ApplicationsTandhy Simanjuntak
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C PanelsTandhy Simanjuntak
 
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical DevicesSecuring the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical DevicesTandhy Simanjuntak
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5ISACA Chapitre de Québec
 
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle VirtualboxEBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualboxjpiwowar
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Cloud OS development
Cloud OS developmentCloud OS development
Cloud OS developmentSean Chang
 
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason JonesASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jonesarborjjones
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityBrendan Gregg
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 

Mais conteúdo relacionado

Destaque

Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical DevicesSecuring the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical DevicesTandhy Simanjuntak
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5ISACA Chapitre de Québec
 

Destaque (7)

A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C Panels
 
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical DevicesSecuring the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
Évolution des bonnes pratiques en sécurité de l'information avec COBIT 5
 

Semelhante a CryptoWall: How It Works

EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle VirtualboxEBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualboxjpiwowar
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Cloud OS development
Cloud OS developmentCloud OS development
Cloud OS developmentSean Chang
 
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason JonesASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jonesarborjjones
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityBrendan Gregg
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Igor Korkin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화InfraEngineer
 

Semelhante a CryptoWall: How It Works (20)

EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle VirtualboxEBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Cloud OS development
Cloud OS developmentCloud OS development
Cloud OS development
 
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason JonesASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF Observability
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
[MeetUp][1st] 오픈소스를 활용한 xflow 수집-시각화
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

CryptoWall: How It Works

  • 1. CryptoWall 3.0: How It Works Term Project CS690 Network Security Tandhy Simanjuntak
  • 2.
  • 3.
  • 6. File-encrypting ransomware Q1 2014 (Nov 2013) [5] CryptoClone, CryptoDefense [5] Encrypted environments •TOR network •Bitcoin CryptoWall
  • 10. Infection USPS – Your package is available for pickup (Parcel 173145820507) Fwd: IMG01041_6706015_m.zip FW: Invoice <random number> My resume ADP payroll: Account Charge Alert New Voicemail Message Important – attached form Important – New Outlook Settings FW: Last Month Remit Scan Data McAfee Always On Protection Reactivation New contract agreement Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer Payroll Invoice Payment Overdue – Please respond Email
  • 11. Infection Upatre downloader • June 5th 2014: largest single-day infection • Legitimate cloud hosting: Dropbox, Cubby, and MediaFire • Banking Trojan: Gameover Zeus, Dyre
  • 12. Tools
  • 13. Tools Dynamic Analysis • Process Explorer • Process Monitor • Wireshark • RegShot / captureBAT Static Analysis • REMnux: pyew, Strings, pescanner, densityScout, trid • Hex Editor
  • 14. Tools Forensic • Scalpel • EnCase Forensic Hardware • Host: Kali Linux • VM: Windows XP
  • 16. Analysis Create files • Cryptowall.exe  C:Documents and Settings<user>%AppData%<random name>.exe" • Kdtsndl.exe  C:Documents and Settings<user>%AppData%key.dat • Kdtsndl.exe  C:Documents and Settings<user>Desktoplog.html Dynamic Analysis
  • 19. Analysis Creates registry values HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe" HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce*mscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe"
  • 20. Analysis Deletes original • Deletes from original location : Desktop Delete shadow copies
  • 21. Analysis Encryption 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 CryptoAPI 1 2 3 4 New .PDF file
  • 22. Analysis Encryption Moves new .pdf file  .pdf.ecc file • Loads new .pdf file • Creates .pdf.ecc file • Delete new .pdf file
  • 23. .3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2 .7z* .crt .flv .ltx .ods .py, .py* .snx .wma .ai* .crw .fos .lvl .odt .qdf .sql .wmo .apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv .arw .csv .fsh .m3u .p12 .r3d .srf .wpd .avi .das .gdb .m4a .p7b .raf .srw .wps .bar .db, .db* .gho .map .p7c .rar .sum .x3f .bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8 .bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk .bc7 .dmp .itm .mef .pdf .re4 .t13 .xls .big .dng .iwd .mlx .pef .rim .tax .xlsx .bik .doc .iwi .mov .pem .rtf .tor .xxx .bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip .bkp .dwg .jpg .ncf .png .rwl .upk .bsa .dxg .js, .js* .nrw .ppt .sav .vcf .cas .epk .kdb .ntl .pptx .sb, .sb* .vdf .cdr .eps .kdc .odb .psd .sid .vpk .cer .erf .kf, .kf* .odc .psk .sie .vtf Analysis Encryption
  • 25. Normal file creation • 21 modules Cryptowall file creation • 50 modules • Windows’ cryptographic modules: crypt32.dll Analysis Encryption Encrypted File Modules
  • 27. Analysis Encryption Raw data pattern • Beginning / header • End / footer Encrypted File File signature File type Signature Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1 JPG file FF D8 FF E0 | FF D9 PDF file 25 50 44 46
  • 28. Un-encrypted .docx file Encrypted .docx file Analysis Encryption Encrypted File File signature
  • 29. Un-encrypted .pdf file Encrypted .pdf file Analysis Encryption Encrypted File File signature
  • 30. Analysis Network • ipinfo.io • 7tno4hib47vlep5o.42kjb11.net • 7tno4hib47vlep5o.42kjb12.net • 7tno4hib47vlep5o.tor2web.blutmagie.de • 7tno4hib47vlep5o.tor2web.fi
  • 32. Analysis Static Analysis REMnux • REMnux: pyew, Strings, pescanner, densityScout, trid
  • 33. Analysis Forensic Read .pdf  saves as new .pdf Moves new .pdf  .pdf.ecc • Deletes new .pdf • Creates .pdf.ecc Forensic tools • Scalpel, EnCase Forensic
  • 34. Analysis Forensic 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 Write 1 2 3 New .PDF file Delete Load
  • 35. Analysis Forensic xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 New .PDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 PDF file
  • 37. Ransomware • TOR network • Bitcoin • No internet • Unable to carve Email • Attachment • Link Further Analysis • Dynamic : debugger • Static: REs Conclusion
  • 39. Reference 1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/ 2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/ 3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall- 2015-03-23.43940/ 4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html 5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorks site: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/ 6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/

Notas do Editor

  1. TOR is a encrypted network comprises volunteers all over the world. It works by relaying the connection from its origin through some nodes before it reaches the destination. Bitcoin is a digital currency and over anonymity of the owner.
  2. A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer. These downloads may be placed on otherwise innocent and normal-looking websites. You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer. https://blogs.mcafee.com/consumer/drive-by-download https://support.evvnt.com/hc/en-us/article_attachments/200859568/browsers.jpg
  3. A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer. These downloads may be placed on otherwise innocent and normal-looking websites. You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer. https://blogs.mcafee.com/consumer/drive-by-download https://support.evvnt.com/hc/en-us/article_attachments/200859568/browsers.jpg
  4. Crypt32.dll is the module that implements many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage. https://msdn.microsoft.com/en-us/library/windows/desktop/aa379884%28v=vs.85%29.aspx
  5. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.