Tous les articles par fizaine.rsi

Crypto Locker IOCs

Quick Description

Malware using Elliptic Curve Cryptography, Tor network and Bitcoin.

It fist appeared in January 2015, and it still on net present.

Infection process

The user receive an email, with an attachment in .zip or .cab file format. The archive contains a file with .src extension, the dropper.

At its execution, it extracted a file in .rtf extension, with random file name. When this last file is opened, It contains Terms & Conditions of Use, off course it is a decoy. Then the infection is realized, by downloading the malware with executes its play load from the .src file.

Symptoms

All user’s file are encrypted.

IOCs

Installed File
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fzjujkn.exe
  • 7-characters random file names
IPs of adminitration:
  • maisondessources.com (213.186.33.19)
  • pleiade.asso.fr (213.186.33.19)
  • scolapedia.org (213.186.33.19)
  • breteau-photographe.com (213.186.33.150)
  • voigt-its.de (188.93.8.7)
  • jbmsystem.fr (213.186.33.3)
Attachment:
  • malformed.zip
  • plenitude.zip
  • inquires.zip
  • simoniac.zip
  • faltboat.zip
  • incurably.zip
  • payloads.zip
  • dessiatine.zip
Playload Downloading URLs
  • http://agatecom.fr/voeux/doom.tar.gz
  • http://aspiroflash.fr/cai/abc.tar.gz
  • http://baselineproduction.fr/Modules/doom.tar.gz
  • http://bikeceuta.com/templates/nero.tar.gz
  • http://breteau-photographe.com/tmp/pack.tar.gz
  • http://cargol.cat/IESABP/nero.tar.gz
  • http://cds-chartreuse.fr/locales/sancho.tar.gz
  • http://cognacbrown.co.uk/ChromeSetup.exe
  • http://collection-opus.fr/_gfx/cario.tar.gz
  • http://compassfx.com/OLD/cario.tar.gz
  • http://dariocasati.it/logs/dostanes_do_drzky.tar.gz
  • http://dequinnzangersborne.nl/language/upupup.tar.gz
  • http://dieideenwerkstatt.at/css/abc.tar.gz
  • http://evalero.com/img/cario.tar.gz
  • http://fbrugues.com/language/hiser.tar.gz
  • http://firststepbahamas.com/PDF/abc.tar.gz
  • http://fotocb.de/php/upupup.tar.gz
  • http://funnydeando.com/pdthm0/moon1.exehttp://hotel-mas-saint-joseph.com/css/pack.tar.gz
  • http://Icedjungle.com/pdthm0/dan2.exe
  • http://integritysites.net/files/nero.tar.gz
  • http://jbmsystem.fr/jb/pack.tar.gz
  • http://joefel.com/easyscripts/sancho.tar.gz
  • http://krzysztofkarpinski.pl/log/hiser.tar.gz
  • http://locamat-antilles.com/memo/sancho.tar.gz
  • http://maisondessources.com/assets/pack.tar.gz
  • http://m-a-metare.fr/media/sancho.tar.gz
  • http://masterbranditalia.com/downloader/cario.tar.gz
  • http://microneedle.com/menu_files/pack.tar.gz
  • http://mmadolec.ipower.com/me/cario.tar.gz
  • http://n23.fr/asstempo/doom.tar.gz
  • http://necaps.org/pagestyles/mine.tar.gz
  • http://ohayons.com/dostanes_do_drzky.tar.gz
  • http://ourtrainingacademy.com/LeadingRE/sancho.tar.gz
  • http://peche-sportive-martinique.com/wp-includes/pack.tar.gz
  • http://pinballpassion.fr/images/mine.tar.gz
  • http://pleiade.asso.fr/piwigotest/pack.tar.gz
  • http://ppc.cba.pl/cache/nero.tar.gz
  • http://prevencionprl.com/im/hiser.tar.gz
  • http://pubbliemme.com/plugins/doom.tar.gz
  • http://scolapedia.org/histoiredesarts/pack.tar.gz
  • http://shop-oye.it/XXXinstallXXX/abc.tar.gz
  • http://siestahealthtrack.com/media/pack.tar.gz
  • http://smartoptionsinc.com/data-test/nero.tar.gz
  • http://sp107.home.pl/logs/dostanes_do_drzky.tar.gz
  • http://springtree.cba.pl/modules/cario.tar.gz
  • http://stevenblood.com/ChromeSetup.exe
  • http://stmarys-andover.org.uk/audio_files/upupup.tar.gz
  • http://telasramacrisna.com.br/ramacrisna/mine.tar.gz
  • http://telasramacrisna.com.br/site/lightbox/hiser.tar.gz
  • http://thelastxmas.com/ChromeSetup.exe
  • http://thehollow.co/ChromeSetup.exe
  • http://thinkonthis.net/style/dostanes_do_drzky.tar.gz
  • http://thomasottogalli.com/webtest/sancho.tar.gz
  • http://voigt-its.de/fit/pack.tar.gz
  • http://wcicinc.org/flv/dostanes_do_drzky.tar.gz
  • http://wireandwoods.ru/pdthm0/042.exe
  • http://www.baddadclub.com/ChromeSetup.exe
  • http://www.cpeconsultores.com/tmp/pack.tar.gz
  • http://www.geordie.land/ChromeSetup.exe
  • http://www.goodtobeloved.com/ChromeSetup.exe
  • http://www.lamas.si/picture_library/upupup.tar.gz
  • http://www.sazlar.de/sazlar/mine.tar.gz
  • http://www.thelatxma.com/ChromeSetup.exe
  • http://wymiana-wsb.cba.pl/pp/abc.tar.gz
  • http://zysztofkarpinski.pl/log/hiser.tar.gz
Download file Extention
  • exe
  • src
  • bat
  • pif
  • cmd

References

  •  http://blog.cert.societegenerale.com/2015/02/ctb-locker-new-massive-crypto.html
  • http://www.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware
  • http://www.symantec.com/connect/forums/new-article-ctb-locker-and-other-forms-crypto-malware-0
  • http://www.symantec.com/connect/forums/cbt-locker-ransomeware-ips-signature
  • http://community.norton.com/en/forums/ctb-locker
  • http://isc.sans.edu/diary/DalexisCTB-Locker+malspam+campaign/19641
  • http://malware.dontneedcoffee.com/2014/07/ctb-locker.html
  • https://www.circl.lu/pub/tr-33/
  • http://blogs.it.ox.ac.uk/oxcert/2015/02/06/ctb-locker-ransomware-campaign/
  • http://christophe.rieunier.name/securite/CTB-Locker/CTB-Locker_analysis_en.php

Sleuth Kit Help Page

Image Operations

  • img_stat: gives the type of image and its size in bytes.
  • mmls: displays the partition table.
  • mmstat: information about the partition.
Advices:

Use the option -t {dos, gpt,bad,mac} with mmls to specify the type of partition table.

Filesystem Operations

  • fsstat: provide filesystem information
  • fls: list file in the filesystem

adivces:

Use the option -f <fs_type> to specify the type of filesystem. The option -o <size_bytes> tells where the filesystem starts in the image.

CheatSheet on Windows’ Registeries

The present information should be valid for all Windows Operating System. Still It must be confirmed for each version to point out differences.

List of Registery key:

  • SAM: Security Account Manager
  • SECURITY: Contains security information
  • SOFTWARE: Software configuration.
  • SYSTEM: System configuration.
  • HARDWARE: recreated at each start, list of all present hardware.
  • DEFAULT: Default System Information.

Path of system registry files: C\Windows\System32\Config

Current User’s data:

  • Registery key: HKEY_CURRENT_USER
  • Profile file: NTuser.dat

File System Organisation:

Windows registry are contains in registry files, named Hive File. It is a set of file containing the registery data.

The storage of those file changes from different version. The location of the file is stored in HKLM\SYSTEM\CurrentControlSet\Control\hivelist

They are not directly readable by the user through the Operating system.

Some of the present information could be out of date, depending of the version of the operating system. Feel free to send the updates.

References

The information were extracted from

  • http://technet.microsoft.com/en-us/library/cc939136.aspx
  • Wikipedia page: Windows_registery

Malware Page

Malware analysis system and services

Un ordinateur de la taille d’une clé USB

Pour un coût d’une centaine d’euros, il est possible de s’acquérir d’un ordinateur de la taille d’une clé USB, dont les caractéristiques vous sont listés ci-dessous :

  • processeur ARM Cortex A8 à 800Mhz
  • 512 Mo de Ram DDR3
  • ARM trustezone
  • Alimentation par USB 500mA
  •  emplacement MicroSD

Il est possible d’émuler n’importe type de matériel. C’est un matériel idéal pour tester différents projet de sécurité comme des conteneurs sécurisés ou bien comme platform de test de pénétration, quelques idées déjà soufflées sur le site de l’éditeur.

http://inversepath.com/usbarmory.html