Notes:
  • This is an example of a wave of malicious emails that included an attached .zip file containing a JavaScript file that downloads CryptoWall 3.0 and Pony/Fareit
  • I have not seen a lot of JavaScript-only attachments (usually VBS or Macros), but apparently one motive for it is email filter evation (due to file size & obsfucation)
  • This sample comes from /u/ZeldaAddict over on Reddit, thanks!
  • I am working to provide samples of everything (pcap, malware) for each post... more to come
Email Contents
  • The email comes across as a person sending a resume, and attached was a .zip file.
  • The email body is below:

My name is Stacy Callahan, attached is my resume. I look forward from hearing back from you.

Thank you,

Stacy

  • The contents of the .zip file contained a JavaScript file which did the HTTP requests for CryptoWall 3.0 and Pony/Fareit:
  • The malware is downloaded when the user opens the .zip, and extracts/executes the JavaScript
  • A full copy of the javascript file (obsfucated) is available for review here: https://gist.github.com/malwareforme/adad23f5132c2207bfdf
Initial Infection Traffic
  • 2015-03-25 19:54:07 UTC - 217.73.82.187 - dorttlokolrt.com - GET /images/one.jpg
  • 2015-03-25 19:54:09 UTC - 217.73.82.187 - dorttlokolrt.com - GET /images/two.jpg
  • Example of jpeg request, and MZ Header response:
Post-Infection Traffic
  • 2015-03-25 19:54:11 UTC - 188.165.164.184 - ip-addr.es - GET /
  • 2015-03-25 19:54:12 UTC - 103.18.4.191 -pianogiare.com - POST /img1.php?f=zma7xcwuhouq
  • 2015-03-25 19:54:13 UTC - 112.78.7.162 - ocvitcamap.com - POST /administrator/lib/cheapoakley.php
  • 2015-03-25 19:54:19 UTC - 112.78.7.162 - ocvitcamap.com - POST /administrator/lib/cheapoakley.php
  • 2015-03-25 19:54:26 UTC - 112.78.7.162 - ocvitcamap.com - POST /administrator/lib/cheapoakley.php
  • 2015-03-25 19:54:26 UTC - 174.37.164.215 - spark-leds.com - POST /upload/images/images.php
  • 2015-03-25 19:54:34 UTC - 174.37.164.215 - spark-leds.com - POST /upload/images/images.php
  • 2015-03-25 19:54:34 UTC - 103.18.4.191 - pianogiare.com - POST /img1.php?y=fgzew7hszm
  • 2015-03-25 19:54:40 UTC - 174.37.164.215 - spark-leds.com - POST /upload/images/images.php
  • 2015-03-25 19:54:41 UTC - 174.37.164.215 - sapacmold.com - POST /img/t/t.php
  • 2015-03-25 19:54:50 UTC - 174.37.164.215 - sapacmold.com - POST /img/t/t.php
  • 2015-03-25 19:54:53 UTC - 174.37.164.215 - sapacmold.com - POST /img/t/t.php
  • 2015-03-25 19:55:01 UTC - 66.7.218.220 - www.ubikate.mx - POST /wp-includes/images/images.php
  • 2015-03-25 19:55:01 UTC - 103.18.4.191 - pianogiare.com - POST /img1.php?v=ielav09esjr
  • 2015-03-25 19:55:06 UTC - 66.7.218.220 - www.ubikate.mx - POST /wp-includes/images/images.php
  • 2015-03-25 19:55:12 UTC - 66.7.218.220 - www.ubikate.mx - POST /wp-includes/images/images.php
  • 2015-03-25 19:55:13 UTC - 195.242.99.145 - www.ebouw.nl - POST /wp-includes/pomo/pomo.php
  • 2015-03-25 19:55:20 UTC - 195.242.99.145 - www.ebouw.nl - POST /wp-includes/pomo/pomo.php
  • 2015-03-25 19:55:26 UTC - 195.242.99.145 - www.ebouw.nl - POST /wp-includes/pomo/pomo.php
  • 2015-03-25 19:55:27 UTC - 94.124.120.61 - www.getserved.nl - POST /wp-content/themes/themes.php
  • 2015-03-25 19:55:30 UTC - 103.18.4.191 - pianogiare.com - POST /img1.php?g=32jykw7vr67u4p
  • 2015-03-25 19:55:33 UTC - 94.124.120.61 - www.getserved.nl - POST /wp-content/themes/themes.php
  • 2015-03-25 19:55:39 UTC - 94.124.120.61 - www.getserved.nl - POST /wp-content/themes/themes.php
  • 2015-03-25 19:55:40 UTC - 84.241.182.218 - www.multiposting.nl - POST /wp-includes/theme-compat/ips_kernel.php
  • 2015-03-25 19:55:49 UTC - 84.241.182.218 - www.multiposting.nl - POST /wp-includes/theme-compat/ips_kernel.php
IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-03-25 19:54:12 UTC - 192.168.120.167:49536 -> 103.18.4.191:80 - ET TROJAN CryptoWall Check-in
2015-03-25 19:54:13 UTC - 192.168.120.167:49537 -> 112.78.7.162:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:19 UTC - 192.168.120.167:49538 -> 112.78.7.162:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:26 UTC - 192.168.120.167:49539 -> 112.78.7.162:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:27 UTC - 192.168.120.167:49540 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:34 UTC - 192.168.120.167:49541 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:34 UTC - 192.168.120.167:49542 -> 103.18.4.191:80 - ET TROJAN CryptoWall Check-in
2015-03-25 19:54:40 UTC - 192.168.120.167:49543 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:41 UTC - 192.168.120.167:49544 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:50 UTC - 192.168.120.167:49545 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:54:59 UTC - 192.168.120.167:49546 -> 174.37.164.215:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:01 UTC - 192.168.120.167:49548 -> 66.7.218.220:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:01 UTC - 192.168.120.167:49547 -> 103.18.4.191:80 - ET TROJAN CryptoWall Check-in
2015-03-25 19:55:06 UTC - 192.168.120.167:49549 -> 66.7.218.220:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:12 UTC - 192.168.120.167:49550 -> 66.7.218.220:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:13 UTC - 192.168.120.167:49551 -> 195.242.99.145:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:20 UTC - 192.168.120.167:49552 -> 195.242.99.145:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:26 UTC - 192.168.120.167:49553 -> 195.242.99.145:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:27 UTC - 192.168.120.167:49554 -> 94.124.120.61:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:30 UTC - 192.168.120.167:49555 -> 103.18.4.191:80 - ET TROJAN CryptoWall Check-in
2015-03-25 19:55:33 UTC - 192.168.120.167:49556 -> 94.124.120.61:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:39 UTC - 192.168.120.167:49557 -> 94.124.120.61:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:40 UTC - 192.168.120.167:49558 -> 84.241.182.218:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-03-25 19:55:49 UTC - 192.168.120.167:49559 -> 84.241.182.218:80 - ET TROJAN Fareit/Pony Downloader Checkin 2

Preliminary Malware Analysis

Resume Stacy Callahan.js

CryptoWall 3.0

Pony/Fareit

CryptoWall 3.0 help page / decrypt service

Bitcoin wallet of this address is empty: https://blockchain.info/address/1BNAXafMBCj7EvTWWu5xdgXY7HcZt8mdDj

More info here: http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/

For a copy of the PCAPs or Malware in the meantime, please email me at jack@malwarefor.me
If you have any feedback or questions please email me at jack@malwarefor.me
Additionally, you can reach out on Twitter or follow for for updates