Notes
  • Came through yesterday afternoon
  • Two iterations of this message came though, both similar in nature.
  • Final payload was CryptoWall 3.0 as a .scr file
  • Interesting route to deliver final mail, as the sender (yahoo) and attachment were fairly benign-- but this method required a lot of work for the end user (to continuously click and work through the attachments)
PCAP and Malware
Message Details

Sender: nikolosharp@yahoo.com
Subject: RE:resume
Email Body:

Hello my name is Ella Lola My resume attached  
I look forward to seeing you

Best regards

Ella Lola  

Screenshot:

Infection Chain

Email arrives -> User opens attached resume1630.zip -> resume1630.zip drops resume1630.html -> resume1630.html leads to Google Drive download of resume.zip -> resume.zip drops my_resume_pdf_id-4523-4557-293.scr which when opened kicks off CryptoWall 3.0 infection

Redirection Chain

resume1630.html contains redirection to hxxp://licituj.me:

hxxp://licituj.me leads to final Google Drive download location:

Once the file my_resume_pdf_id-4523-4557-293.scr is opened, the CryptoWall 3.0 traffic begins:

2015-07-01 20:08:40 UTC - 188.165.164.184 - ip-addr.es - GET /
2015-07-01 20:08:40 UTC - 173.254.28.82 - myhalal.info - POST /wp-content/plugins/e4.php?b=t3mgcc2p6c
2015-07-01 20:08:43 UTC - 173.254.28.82 - myhalal.info - POST /wp-content/plugins/e4.php?x=i4r7i8q1msa88
2015-07-01 20:08:48 UTC - 173.254.28.82 - myhalal.info - POST /wp-content/plugins/e4.php?g=6znm59xj2s2lcr2
2015-07-01 20:09:04 UTC - 173.254.28.82 - myhalal.info - POST /wp-content/plugins/e4.php?t=n330x1ncto963j
2015-07-01 20:09:04 UTC - 162.255.119.254 - mcigbonline.com - POST /wp-includes/js/tinymce/themes/advanced/skins/highcontrast/e4.php?g=n330x1ncto963j
2015-07-01 20:09:04 UTC - 184.175.186.12 - www.mcig.com - GET /
2015-07-01 20:09:05 UTC - 50.57.96.142 - springflingevent.ca - POST /cmsAdmin/3rdParty/tiny_mce/plugins/e2.php?n=n330x1ncto963j
2015-07-01 20:14:30 UTC - 95.163.121.228 - 6i3cb6owitcouepv.paybalanceto.com - GET /14zUfcQ
<-continued traffic from 95.163.121.228 downloading CryptoWall 3.0 assets->
2015-07-01 20:14:33 UTC - 95.163.121.228 - 6i3cb6owitcouepv.paybalanceto.com - GET /picture.php?k=14zufcq&17f95dfda101dffa678b15ae66e16ff3
<-continued traffic from 95.163.121.228 downloading CryptoWall 3.0 assets->

Ransomware Payment Domains:

hxxp://6i3cb6owitcouepv.paybalanceto.com/14zUfcQ
hxxp://6i3cb6owitcouepv.paybrakepoint.com/14zUfcQ
hxxp://6i3cb6owitcouepv.paytostopigil.com/14zUfcQ
hxxp://6i3cb6owitcouepv.paytodoublemoney.com/14zUfcQ

IDS alerts using the Emerging Threats Pro Ruleset

2015-07-01 - 20:08:40 UTC - 10.10.10.104:49189 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-07-01 - 20:08:43 UTC - 10.10.10.104:49190 -> 173.254.28.82:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:08:47 UTC - 10.10.10.104:49191 -> 173.254.28.82:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:08:52 UTC - 10.10.10.104:49192 -> 173.254.28.82:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:09:04 UTC - 10.10.10.104:49196 -> 184.175.186.12:80 - ET TROJAN Zeus Bot Request to CnC
2015-07-01 - 20:09:04 UTC - 10.10.10.104:49194 -> 173.254.28.82:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:09:04 UTC - 10.10.10.104:49195 -> 162.255.119.254:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:09:07 UTC - 10.10.10.104:49197 -> 50.57.96.142:80 - ET TROJAN CryptoWall Check-in
2015-07-01 - 20:14:29 UTC - 10.10.10.104:63276 -> 10.10.10.1:53 - ETPRO TROJAN CryptoLocker .onion Proxy Domain (6i3cb6owitcouepv)

Attachment and Preliminary Malware Analysis

Main Attachment - resume1630.zip

Unzipped from Main Attachment - resume1630.html

Downloaded from resume.html

CryptoWall 3.0 Main Payload

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates