• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ▼  2015 (5)
    • ►  October (1)
    • ▼  August (2)
      • New Crypto 3.0 sample
      • Uncovering a new MFC downloader
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Wednesday, August 12, 2015

New Crypto 3.0 sample

Posted on Wednesday, August 12, 2015 by Unknown | 1 comment
August 11, 2015, one of our systems managed to get a new sample belonging to the family of Cryptowall 3 (Crowti).

Using ThreatSecure Networks' behavioral determination, we were able to confirm the "maliciousness" of this sample as it exhibited the following notable behaviors

"Runs an exe in the system folder"
"Creates a hidden file"
"Known malicious behavior, Crowti related"
"Opens Windows configuration files"
"Searches for credentials"
"Executes non-standard memory operations"
"Creates a registry entry to start itself at each boot"
"Disables or removes Windows services"
"Checks for kernel debugger"

Cryptowall is a known ransomware that encrypts files on a targeted PC. It urges the victim to pay in exchange for decrypting the "hostaged" files.

Fig 1. HELP_DECRYPT.PNG


One of the most noticeable features of this sample, is it's icon, which is technically nothing (See Fig 2)

Fig 2. Notice the "invisible" icon?


The sample also beacons out to known malicious IP addresses, attempting to download and POST data gathered from the victims PC.

ip-addr.es
myexternalip.com/raw
curlmyip.com
glamazona.com
fortecegypt.com


Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

1 comment:

  1. BloggerSeptember 22, 2017 at 11:54 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
      Reply
Add comment
Load more...

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com