Description

• Probable Name: Normal + Cryptowall (not sure if the encryption took place)
• MD5: 6daff56b1c5429b7460dcf836803bea3
  
• SHA1: 9734719b95774a7d472f87b050e584ee0537994b
  

• SHA256: 37e7f6598126096eaa9beea19377f936f94756fd4b584441c24fa7e60d7785f4

• Password of zip file: infected

• VirusTotal
• HybridAnalysis

• RobotHash

Only malware capture

In order to better analyze this mixed capture, we also executed the malware alone, without any user interaction. The capture can be found here.

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file with all the flows
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• Hivu files of registry snapshots
  • first-registry-shot-regshot.hivu
    • Before the infection
  • second-registry-shot-regshot.hivu
    • After the infection
• Pcap files of traffic BEFORE the infection (This traffic is included in the large pcap file)
  • capture1-first-normal-traffic.pcap
• Weblogs of the traffic BEFORE the infection
  • capture1-first-normal-traffic.weblogng
• Differences in the registry before and after the infection
  • registry-difference-after-infection.txt
• Screenshots
  • screenshots

IP Addresses

- Infected host: 10.0.2.15
- Default GW: 10.0.2.2

Timeline

We start with normal actions for some days and then we infect it.

Normal actions

Tue Sep 8 16:21:25 CEST 2015

Start windows

Tue Sep 8 16:25:00 CEST 2015

Accept some friends in facebook and skype

Tue Sep 8 16:27:00 CEST 2015

Update java

Tue Sep 8 16:30:36 CEST 2015

Java opened a web page after the update

Wed Sep 9 15:01:57 CEST 2015

Login to skype again

Wed Sep 9 15:03:25 CEST 2015

Login to gmail again

Wed Sep 9 15:04:21 CEST 2015

Login to facebook again Use it a little bit

Wed Sep 9 15:06:27 CEST 2015

Google "important news"

Wed Sep 9 15:07:35 CEST 2015

Get into www.nbcnews.com/news/world

Wed Sep 9 16:53:04 CEST 2015

Cierro sesiĂłn en gmail

Wed Sep 9 17:03:45 CEST 2015

relogin to google mail

Wed Sep 9 17:05:30 CEST 2015

search for "radio online"

Wed Sep 9 17:06:51 CEST 2015

get into www.play.cz

Wed Sep 9 17:07:08 CEST 2015

I click on some buttons

Wed Sep 9 17:07:53 CEST 2015

I click on a specific radio

Wed Sep 9 17:11:34 CEST 2015

click on play on the radio

Wed Sep 9 17:18:07 CEST 2015

Get into facebook again

Wed Sep 9 17:19:48 CEST 2015

search for "twitter" on google

Wed Sep 9 17:20:04 CEST 2015

get into www.twitter.com

Wed Sep 9 17:20:31 CEST 2015

search for "https://twitter.com interesting people"

Wed Sep 9 17:20:55 CEST 2015

get into some twitter account

Wed Sep 9 17:23:05 CEST 2015???

Accessed sample.org

Wed Sep 9 17:28:23 CEST 2015

Accessed to www.justforyou.com

Wed Sep 9 17:34:44 CEST 2015

Started a chat on skype

Wed Sep 9 17:35:16 CEST 2015

search for people on skype

Wed Sep 9 17:35:23 CEST 2015

add a contact to skype

Wed Sep 9 17:36:17 CEST 2015

chat on skype

Wed Sep 9 17:47:12 CEST 2015

finish chat on skype

Wed Sep 9 17:49:46 CEST 2015

accessed plus.google.com

Wed Sep 9 18:05:24 CEST 2015

accessed some pages from google.plus

Wed Sep 9 18:05:33 CEST 2015

opened microsoft office word and start writing something

Wed Sep 9 18:13:07 CEST 2015

I save the office file in the Dropbox folder

Wed Sep 9 18:19:32 CEST 2015

Stopped the radio online web tab

Wed Sep 9 18:21:10 CEST 2015

I continue to edit the office file

Wed Sep 9 19:13:47 CEST 2015

Close Gmail session

Wed Sep 9 19:15:38 CEST 2015

Sign in with a different account

Wed Sep 9 19:27:31 CEST 2015

Sign out gmail

Wed Sep 9 19:28:32 CEST 2015

login gmail

Wed Sep 9 19:30:36 CEST 2015

Refresh bbc news

Wed Sep 9 19:32:54 CEST 2015

Bbc news science

Wed Sep 9 19:36:10 CEST 2015

Sign out

Wed Sep 9 19:39:10 CEST 2015

Close google chrome

Wed Sep 9 19:47:03 CEST 2015

Open google chrome

Wed Sep 9 19:47:40 CEST 2015

Go to gmail.com

Wed Sep 9 20:09:33 CEST 2015

Editing document

Wed Sep 9 20:16:08 CEST 2015

open google chrome

Wed Sep 9 20:39:19 CEST 2015

Search youtube

Wed Sep 9 20:51:56 CEST 2015

Browser suddenly closed

Wed Sep 9 20:56:40 CEST 2015

open browser

Wed Sep 9 20:59:14 CEST 2015

Google translate

Thu Sep 10 13:56:58 CEST 2015

access mail.google.com

Thu Sep 10 13:57:29 CEST 2015

Access facebook.com

Thu Sep 10 13:59:11 CEST 2015

Chat in facebook a little

Thu Sep 10 14:00:20 CEST 2015

Chat in skype

Thu Sep 10 14:00:54 CEST 2015

Text in the word document

Thu Sep 10 14:01:36 CEST 2015

Access news.google.com accesss www.bbc.com/news

Thu Sep 10 14:02:56 CEST 2015

search for "twitter good account"

Thu Sep 10 14:03:09 CEST 2015

Get into a twitter account. Some clicking and surfing

Thu Sep 10 15:12:56 CEST 2015

Search regshot

Thu Sep 10 15:13:17 CEST 2015

Website : sourceforge.net

Thu Sep 10 15:13:32 CEST 2015

download regshot

Thu Sep 10 15:14:28 CEST 2015

Search 7z for windows

Thu Sep 10 15:14:47 CEST 2015

Go to 7-zip.org

Thu Sep 10 15:15:07 CEST 2015

download 7zip

Thu Sep 10 15:16:43 CEST 2015

Chat skype

Thu Sep 10 15:17:26 CEST 2015

execute regshot

Thu Sep 10 15:18:49 CEST 2015

1shot (regshot)

Infection with malware

Thu Sep 10 15:22:27 CEST 2015

Execute malware and get the machine infected with 37e7f6598126096eaa9beea19377f936f94756fd4b584441c24fa7e60d7785f4.exe

Thu Sep 10 15:25:11 CEST 2015

2nd shot (regshot)

Thu Sep 10 15:26:06 CEST 2015

skype chat

Thu Sep 10 15:32:07 CEST 2015

go to a website: imgur

Thu Sep 10 15:35:03 CEST 2015

go to another website from a skype friend

Thu Sep 10 15:36:40 CEST 2015

Interact in facebook

Thu Sep 10 15:43:18 CEST 2015

Close imgur tabs

Thu Sep 10 15:45:39 CEST 2015

Edit document and save

Thu Sep 10 15:46:59 CEST 2015

send an email

Thu Sep 10 15:47:43 CEST 2015

receive an email error

Thu Sep 10 15:48:19 CEST 2015

send an other email

Thu Sep 10 ~19:00 CEST 2015

The machine stop having internet. We see no packets, and the programs seem no to be able to find internet. It looks like we have no IP address anymore.

Fri Sep 11 20:32:52 CEST 2015

I disable and enable the interface. It didn't work.

Fri Sep 11 20:34:17 CEST 2015

i restart the windows It still didn't worked.

Fri Sep 11 20:40:45 CEST 2015

There was an error exception in the windows.

Fri Sep 11 20:41:27 CEST 2015

I clicked on ok

Fri Sep 11 21:23:19 CEST 2015

Stil without network connection.

Fri Sep 11 21:32:40 CEST 2015

I put the IP 10.0.2.15 by hand (the previous one) and the default gateway 10.0.2.2. It didn't worked.

Fri Sep 11 21:36:46 CEST 2015

I tried to ping 10.0.2.2. It didn't work.

Fri Sep 11 21:38:05 CEST 2015

I disconneted the cable from virtualbox

Fri Sep 11 21:38:58 CEST 2015

I connected the cable from virtualbox. It didn't work. But I saw some packets!

Fri Sep 11 21:40:23 CEST 2015

I disable and enable the interface. It didn't work.

Fri Sep 11 21:41:41 CEST 2015

I rebooted from virtualbox It didn't work.

Thu Sep 17 10:28:27 CEST 2015

Power off