Cisco Blogs
Share

CryptXXX Technical Deep Dive

- August 17, 2016 - 3 Comments

0.0 Introduction:

In our previous post we discussed the AMP ThreatGrid Research and Efficacy Team’s continuous support for Ransomware attack vectors, generic behavior detection of un-discovered variants, and the creation of behavioral indicators once new variants are identified. In this post we’ll be discussing one of the more prevalent variants to surface in the wake of TeslaCrypt’s death: CryptXXX.

CryptXXX has been notably dropped by Angler and Neutrino exploit kits in recent months and continues to evolve. This post provides a technical deep dive that discusses CryptXXX’s obfuscation, execution, and evolving cryptographic mechanisms. We will then discuss AMP ThreatGrid’s detection of this threat.

1.0 Unpacking:

During the initial analysis of the v2.006 binary we found it peculiar that an entry-point was being provided that did not exist in the packed PE, but when providing an entry-point that we observed during dynamic analysis (a subsequent call to the same DLL with a new entry point was being made with rundll32.exe) the binary executed properly. The reason that this can occur is that the DLL entry-point (in this case the unpacking stub) is called regardless of the provided entry-point each run, which in turn can replace the PE image with that of the unpacked code containing the malicious entry-point for core functionality, which is then looked up and subsequently called by rundll32.exe. The following is an example of the packed entry-point “MXS1” being called that was observed during dynamic analysis:

blog1Figure 1.0: Packed entry-point being called during dynamic analysis

blog2

Figure 2.0: Depiction of DLL overwrite process exposing entry-point to jump to.

While observing the unpacking code for v2.006 and setting a breakpoint on VirtualAlloc we found that a PE header was being referenced by a registry in memory:

blog3

Figure 3.0: Registry reference to PE and MZ header in memory on call to VirtualAlloc

Jumping to this address we can see that it is indeed a PE header:

blog4

Figure 4.0: PE header at memory location pointed to by registry

Dumping this and removing preceding bytes leading up to the MZ header yields a clean PE, which can be disassembled accordingly.

CryptXXX v 3.0 has similar unpacking functionality, but requires a few extra steps. A simple approach to unpacking this sample is knowing an API function that is called once the file is fully unpacked, observing where it is being called from, and finally attempting to retrieve the image that is being written to the memory layout once it is fully unpacked. Since they are calling CreateProcessW to spawn multiple instances of rundll32.exe to load this DLL we can set a hardware breakpoint on the entry-point of this function with a debugger. Once the breakpoint is hit, we know we are in unpacked code (this will not always be the case for all malware samples), and from the call to this API we can see the address we are returning into, and therefore what segment contains unpacked code:

blog5

Figure 5.0: Registry reference to PE and MZ header in memory on call to VirtualAlloc

If we open the memory layout we can see that this is the CODE segment that is in memory when the DLL is initially loaded. If we restart the execution and set a memory write breakpoint on this segment we break on a section that is writing a value within ECX into our code segment:

blog6

Figure 6.0: Writing value of ECX into CODE segment

This value appears to be a memory address, and if we jump to this address, it is indeed valid. If we navigate to the top of the segment, and search for a common PE term we can find a PE header, we can dump and remove residual bytes leading up to the MZ header for a valid PE:

blog7

Figure 7.0: Search result for common PE header term

2.0 Obfuscation

2.1 String Obfuscation

Upon opening the binary in a disassembler it is very apparent that strings used throughout the binary are obfuscated, but are all are being set as the second parameter to a single function:

blog8

Figure 8.0: Obfuscated string references

For each call made to the function, one of the parameters happens to be 0xE. In this instance the binary happens to be a Borland Delphi executable, which makes use of the Borland Fastcall calling convention, which uses EAX for the first parameter being passed to a function. Considering how often XOR encryption is used for obfuscation, let’s check for this first:

blog9

Figure 9.0: De-obfuscation of XOR encoded data using Interactive Ruby Shell

Using the Interactive Ruby Shell we XOR each byte in the obfuscated string with 0xE, which in turn gives us a valid output. In this case it appears that they are looking for avp.exe, a Kaspersky anti-virus process, in memory. In order to apply this de-obfuscation routine to every obfuscated string referencing this function we can use IDAPython. The following script will satisfy our needs:

blof10

Figure 10.0: IDAPython for automated de-obfuscation of strings

We can loop through all cross-references to the de-obfuscation function (in this case 0x9CDC74), get the address of each obfuscated string, de-obfuscate it, and comment the string address and each call to the de-obfuscation function with the resulting string.

blog11

Figure 11.0: Resulting string comments from IDA Python de-obfuscation script

As seen from the above de-obfuscated strings, the ransom note is shipped with the binary itself, unlike other variants that reach out to Command and Control servers to fetch the ransomware notes and other content.

2.2 Command and Control IP Addresses

Throughout the analysis there are multiple references to the ‘send’ socket API, and on checking cross-references to this function there are calls to setup the socket and sockaddr objects for the connection which are passed the result of another call:

blog12

Figure 12.0: Network connection functions

This function is provided a large integer value (0x990D17D9) in network byte order and a pointer argument that points to a resulting IP address. The function derives the IP address from this integer value by iterating over each byte in memory, turning its numeric representation into a string, and concatenating the result with ‘.’. This is not technically obfuscation, but the IP addresses are not immediately apparent during initial phases of analysis. These values can be converted in the following manner using C:

blog13

Figure 13.0: C code for deriving IP address from integer value

Which in this case produces 217.23.13.153, which when searched for in AMP ThreatGrid we can see all samples that have reached out to this IP address:

blog14

Figure 14.0: Search results for IP address in AMP ThreatGrid

If we navigate to the entity page for this IP address we can see this has also been tagged by the Snort side system that the Research & Efficacy Team has created to process all network traffic associated with the sample analysis.

blog15

Figure 15.0: IP address entity page in AMP ThreatGrid

These tags identify that this IP address has been used by traffic matching CryptXXX.

3.0 Execution

As mentioned, CryptXXX makes heavy use of packed entry points to perform different tasks, separating the overall execution flow into multiple spawned processes of a copied version of rundll32.exe. In v2.006 rundll32.exe is copied to the current location of the executing binary, and is renamed svchost.exe. In v3.0 it copies the executable but does not rename it. After the unpacking stub finishes, the unpacked entry-point will be executed and check what executable it is being executed from, if it does not correspond to the respective copied name (svchost.exe, or rundll32.exe) it will execute the ‘setup’ entry-point (in the case of v2.006 MS111, and v3.0 MXS0) that initiates the execution flow, whose process tree ends up looking like this:

blog16

Figure 16.0: Example resulting execution tree for CryptXXX

For this post we will be analyzing the execution path that performs the encryption of files.

4.0 Encryption

CryptXXX targets a subset of file extensions to encrypt, which are searched for recursively throughout the system. These extensions are de-obfuscated using the same XOR routine, and are passed off for encryption. These include:

.3DM, .3DS, .7Z, .ACCDB, .AES, .AI, .APK, .APP, .ARC, .ASC, .ASM, .ASP, .ASPX, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FRM, .GADGET, .GBK, .GBR, .GED, .GPG, .GPX, .GZ, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .INDD, .JAR, .JAVA, .JKS, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .MAX, .MDB, .MDF, .MFD, .MML, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVATE, .PS, .PSD, .PY, .QCOW2, .RAR, .RAW, .RSS, .RTF, .SCH, .SDF, .SH, .SITX, .SLDX, .SLK, .SLN, .SQL, .SQLITE3, .SQLITEDB, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .SXM, .SXW, .TAR, .TBK, .TEX, .TGZ, .TLB, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPROJ, .VDI, .VMDK, .VMX, .WKS, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .ZIP, .ZIPX, 3G2, .3GP, .AIF, .ASF, .ASX, .AVI, .BMP, .DDS, .FLV, .GIF, .IFF, .JPG, .M3U, .M4A, .M4V, .MID, .MKV, .MOV, .MP3, .MP4, .MPA, .MPG, .PNG, .PSPIMAGE, .RA, .RM, .SRT, .TGA, .THM, .TIF, .TIFF, .TMP, .VOB, .WAV, .WMA, .WMV, .YUV

For version 2.006 “MS112” is the entry-point that performs the encryption operations, while “MXS1” is used for version 3.0.

4.1 Key Generation Algorithm

4.1.1 Seed Generation

The following algorithm is used for the initial seed generation (System::Random(void)), as you can see it is purely based on the current system time:

blog17

Figure 17.0: CryptXXX seed generation algorithm

ds:RandSeed is referenced by Delphi’s RandInt() for all ‘randomized’ operations:

blog18

Figure 18.0: CryptXXX RandSeed function that provides pseudo-random values

RandSeed is based on a linear congruential generator, which was found based on the constant used 8088405h: https://en.wikipedia.org/wiki/Linear_congruential_generator

4.1.2 Key Generation & Encryption

The following algorithm generates a 64-byte ASCII key:

blog19

Figure 19.0: CryptXXX key generation algorithm

It is important to make note that they’re requesting a new seed for every new file encrypted and that seed is based purely on system time, which is then used to seed RandInt that is called for the generation of each part of this key (more on this later).

This key is then used within a key scheduling algorithm to create a key stream that is similar to RC4. The following code is a re-implementation of the key scheduling algorithm in C:

blog20

Figure 20.0: CryptXXX key stream generation algorithm

Finally, once the key stream is created, it is used to encrypt the data blob provided:

blog22

Figure 21.0: CryptXXX encryption algorithm

A public key that is shipped with the binary is then used to encrypt the generated key, and the resulting ciphertext is then appended to the encrypted file:
blog21

Figure 22.0: Encryption of generated key using shipped public key

4.1.3 CryptXXX v3.0 Encryption Changes

A number of changes to encryption scheme were made for v3.0 of CryptXXX. The first is network share enumeration and encryption:

 

blog23

Figure 23.0: CryptXXX v. 3.0 network share enumeration for encryption

The second is the RC4 related encryption algorithm is no longer used as the primary encryption vector (likely due to having a number of crypto flaws) and the embedded public encryption key that is shipped with the binary and decoded using the same XOR obfuscation, is used instead. This makes decryption of files extremely difficult:

blog24

Figure 24.0: CryptXXX 3.0 public key encryption

The resulting ciphertext is then encrypted using the same RC4 related algorithm from v2.006. This may indicate that a solution was ‘hacked together’ for release of a version that could not be decrypted, as this step seems unnecessary.

4.2.0 Breaking Encryption in v2.006

CryptXXX <= v2.006 are publicly known to be broken, and Kaspersky has released a publicly available decryptor for them. Although they have not publicly spoken about their decryption methods, one method of attack against this CryptXXX encryption scheme is their insecure seed generation algorithm. Since it is based on system time, it may be possible to brute force portions of the seed very quickly.

4.2.1 Seed Leak Resulting in Quick Brute-Force

Initially we investigated the possibility of recovering potential seed data based on the write times of the encrypted files, however, CryptXXX will restore the original write/modification times of the affected file. We then noticed that a ransom note is written to a given directory once all targeted file types within said directory have been encrypted. What this provides is leaked seed data, since the modification time stamp of the ransom note should be close to what is returned by get_seed()’s GetSystemTime() call. What we’re left with is a known SYSTEMTIME.wHour, a potentially known SYSTEMTIME.wMinute, and since encryption still takes some time we will have to brute-force the remaining SYSTEMTIME.wSecond (0-59), and SYSTEMTIME.wMillisecond (0-999). Given the worst case scenario for discovering these two values is 60*1000 we are given up to 60,000 operations to perform, given that we have the correct minute from the ransom note.

4.2.2 Decryption PoC

We’ve provided PoC code that will decrypt a given file solely based on the last modified time-stamp of a the dropped ransom note by attempting to decrypt the first four bytes of a file’s magic with a generated key based on the current SYSTEMTIME.wSecond, and SYSTEMTIME.wMillisecond being brute-forced:

blog25

Figure 25.0: CryptXXX brute force ms and s PoC

Once the given magic is found (which in turn means that the key has been recovered) then the file is decrypted in its entirety. The following is an example of the PoC’s output:

blog26

Figure 26.0: Decryption PoC output example

5.0 AMP ThreatGrid Coverage

As mentioned in our previous blog post, AMP ThreatGrid has a number of generic ransomware indicators used to detect new variants that are being released daily, and targeted behavioral indicators used to detect the ever growing variants of CryptXXX.

blog27

Figure 27.0: CryptXXX 3.0 report in AMP ThreatGrid

With the rapid development of ransomware variants that are continuously being released on a weekly basis, AMP ThreatGrid provides an automated platform for identifying, and classifying variants. Intelligence from this platform is continuously fed back into the AMP ecosystem providing protection to Cisco customers.

6.0 The Road Ahead

Unfortunately due to changes made by CryptXXX authors in versions >= 3.0 it is no longer possible to decrypt CryptXXX using these methods. The most effective way of combatting CryptXXX and Ransomware is prevention of infection through a layered approach to security including reliable backup practices. There are also many ways of preventing the initial infection vectors through enabling click-to-play functionality of common plugins that run the risk of becoming outdated or are commonly prone to in-the-wild exploitation through exploit kits such as Angler. Educating users to not open ZIP, javascript, or macro-enabled documents (especially those that request the enabling of such content) can also assist in prevention of Ransomware infections within your organization.

7.0 Indicators

Version
SHA256
CryptXXX v2.006
00010d394c06533d58f021115d7bde815b5daf498fe2659980bf1cc337fda3fc
CryptXXX v2.006
03add73b979c9eaeef3aad8aa6a75b7abe40b3ea9fa4a57ccdd74db5dbaaa252
CryptXXX v2.006
046215078fa5284346081207c9eff133a47d6af9be570f1a4f6dc42ae622aab8
CryptXXX v2.006
04cc79fbf6e6d82b3e37e302e6d4306b42432f28829e9bbf2102150f78cc2e44
CryptXXX v2.006
0740f96742c9500d52a14b2ef007b390fccbdcb0658b82082d525b1d9864c2c6
CryptXXX v2.006
0886883282ddd1ae4553b99915baa7c294f5ef3ff9700c72f847db77c60a3f38
CryptXXX v2.006
09b6352cc56c64919d9b3661c8d23876b17c4d940581234cb18f7124e1f9087b
CryptXXX v2.006
0a1dde60c72e5f1cf0286dd57e3b683f61aec132ce7db7678e806c9a2b3f1a3c
CryptXXX v2.006
0cbc3b3019ae908abbbd80fa3e7c6d455e4ae576d4e8f9fe6fe986741ee47d03
CryptXXX v2.006
0d3f21fbed73b75534683f1230dd7e13a344f22a0bf31b2fb203daf5d6e02bbb
CryptXXX v2.006
0dd37f0cf661b6735c54ba8e76a40d3647de90469087ce4cc4975eb4c72af120
CryptXXX v2.006
0e4e5a3763d9aa4ba19ccdd1409b77f683c81f72e54423b8c2a02034a311444a
CryptXXX v2.006
135abc2fbfca8b577028b0c220cef9c98f4580f9d310cae7fb4f8b28ac261119
CryptXXX v2.006
143a9486579b75bacde9a1e592071fb0dcb5e0f921bc4c2649c5709075008d30
CryptXXX v2.006
16366a9a6fa27e41a629f5bd7971e60bb7110e08cd3b82eb25a08023ccbc6483
CryptXXX v2.006
16b196d1bf2652ebfa44f3301bf0b6a370d0c629a53808be86eb583c852ae650
CryptXXX v2.006
16d75d3df201d9a341f5e9ca1e38c41fda9bc3b263f5a1ab59b6632cd3b03a60
CryptXXX v2.006
1c20f93c4d175bea26515101a351c1f877b0b8620ec4d1db3b88ea15c42ea7cf
CryptXXX v2.006
1cf3f27bc136b2535dec72a12116fba1a0c57f21a08ea27499f9771de281af3f
CryptXXX v2.006
1d45efc7c00d3d34c02f35c2f0f9401445f674f489ab0fb156b147789dd9945e
CryptXXX v2.006
20e1d6dc6853aefde5068d3dfeec0e60796966c32b08e9065319f5b92139303a
CryptXXX v2.006
259c76d43148070c729837e2598347a50981b32f431300cc4fafc41437f988f2
CryptXXX v2.006
271ea8b6b7eea798842fae9bbd0d06ad1d58ad515d82d1b58da0585c38765909
CryptXXX v2.006
27819abb4e9fd6c86cacfa97ca21a0f5749380dc602caed986063dd256e2d1ce
CryptXXX v2.006
2d888d5340a7d3c6ad69cd95b849a829dbb6c4952300ea3c73a73833e70cb25e
CryptXXX v2.006
2dc4c0273d98668ddac7d66f337822f6188a138931c2ea61fcb2a713577618d5
CryptXXX v2.006
31e26c5a6e07b9b221e650d7c2c42acb71169ef94d2d08080008bd4d3e6c0029
CryptXXX v2.006
31e58f599ff114191ee59665e27a5eb82e9d7e0023021beb453416530e455dae
CryptXXX v2.006
3cdb3544f00ea9507b1f28402ffbdd2ef75e46a6e176dfab5c7c9be3215dc7c7
CryptXXX v2.006
403ec0d80ab65da07927605010c4d5b62a2ae388ecaebf50ee90b7567504c44e
CryptXXX v2.006
416918f81dc4b6d708c6de86b1cc7d4f9872376c385480b3e031f1080af4d354
CryptXXX v2.006
427c9d7a6831588deae6719de264aa0bd556174292ba29885d42b78328f431a3
CryptXXX v2.006
4322be54af5557b4171fcc61d5c0426f6556983322cee8360a6244f7a669c10a
CryptXXX v2.006
44a44c24cb6495b4dca03a0a0e5d7716e6af1b37f390d25c344dabd7517663e5
CryptXXX v2.006
46e8328de0f30d3a673b71681e4cbfc28f921719a61ce87301fd86181b13c9e7
CryptXXX v2.006
4ab84b3083e382f875d605e1dbdafcad028935b6437fd9ddc40b37d5ba31d171
CryptXXX v2.006
4aeead8a128ea58c611e14496379a198beecb7bb8f5698d7d379be0fc271479e
CryptXXX v2.006
4c2398adb49020f7a98b813c8ddc2244972f11be999c46dacac779f44993f6cf
CryptXXX v2.006
4cc5eb93eebfacb2752d42804b4acec2ac8bb150b7a7bb9e624f062908c79734
CryptXXX v2.006
4d729b1b8024ba4ed5262d5811fac4925ae3f54ed7d0adc4ffeb169dddd4c510
CryptXXX v2.006
4df47b25fe1189755ba6447215c5afded02b31e86f33315f429fdb2927817ce5
CryptXXX v2.006
4eaea066dd08c122cd6923d161b951befbcedff79d5e45af3f9481fbc934f5b6
CryptXXX v2.006
4ef30f114adb24878c73a9e58dbf3cec5d31f3267be6357dc9d6fe016a658fb9
CryptXXX v2.006
502933afdf8b979b9f31fc7a6f36ba330a6a0f56d3005ac02ac27a86f88f234f
CryptXXX v2.006
51b7dac0cde40daa7d0f046b3351a5e771202a1b8eccdf6d5eeb9da17f55597b
CryptXXX v2.006
51ee64957427b52a785fae0c633374332d2da52b2585bae3611f9c3791efd0a8
CryptXXX v2.006
520efc6eacef202ba3ab7971ce617f799a49ec36ea471f059346e2f1eaa50abe
CryptXXX v2.006
527594e383dad5dc8dae285f56d55b68c0755e93f066277b076daa92bbdab9d6
CryptXXX v2.006
5778898744d6032d92b0efe569205edb8eab16debdceac965d73593e217c0aca
CryptXXX v2.006
59e65814bd09c264a71ceb705bb216e979eb880bd251fc4ac75bc3b7d1d4b811
CryptXXX v2.006
5d12943f1d4f7acb8ac10842d77c85dd91c3a11a3c3e228f5bb726f9d6879894
CryptXXX v2.006
5d57302419d55ab491c542008cab8af0ff8302a3e8ba9b92ea02a41ee3ff43b8
CryptXXX v2.006
5f1ea5bafc748349d639d10df6fb6319ca11a0b681b448ccbd95fc87fe595d49
CryptXXX v2.006
5f73a917184ea302872be402c84f072047ff701d070e3944d971c612a277068d
CryptXXX v2.006
65e325b662197eb703dd73487d1608d439f447e331d3b2ccc7275ee79a2244fd
CryptXXX v2.006
694959f7125440166166463b6dc5e3a14e7c3eccf73e8d482d6bddaf09640350
CryptXXX v2.006
6ae29650bc628615401f9e3c48573ab7ecf7314c2f26aa1354c0f0b05d10b64d
CryptXXX v2.006
6c68fa24e88d7513b633bc355f5b7458949e8c65483b04b2d5b76c3bf6de7b15
CryptXXX v2.006
6e537cb179a41e1e9dd7579effd28fcd8d35ede0b52321656dbfd0f49c153ae1
CryptXXX v2.006
6f57e785aada126bf5262f8478e6a13ce624d494c1381105853a753649940dda
CryptXXX v2.006
6f79e9b511109233556d46e720eaca3b59a751f1fabdf37a3657e22e6c59eef8
CryptXXX v2.006
6fb8b2093af1d804be3a583683d7dd7fe7fae9561291ff796c4a65480c19f6d9
CryptXXX v2.006
75a4b04736f979e6e13abacbf617b71ae69a4448311e754b086509110f092208
CryptXXX v2.006
778d4144dbed9cf3d1880cddbd8ef70fefa11d8e6f67363c21c0476f8f3cd0ba
CryptXXX v2.006
7a3d34ea59b089f04c49fccea67696b81990512e91cf155baa0ed805f0ae566b
CryptXXX v2.006
7cc406d9d532c82607c6e06da5da549b05b91e23edb756c70f1f52572337c63b
CryptXXX v2.006
7e4d8633df7cdf993f91774905427994354b9b43312a53765f56fee401d62f5f
CryptXXX v2.006
82695a9a04ff75cedad32114a3dbea5b1ff7f5b0a5f3554e7b1bd7d68c5779fc
CryptXXX v2.006
8273ed121aea7dab0b07fe42eb303d3adcf23cc3001940579166f0c87b25e59f
CryptXXX v2.006
831168e4ac5d3446abbdb0a92cf23d81e884325f6b6fb7edb3c0c33b8740c133
CryptXXX v2.006
84ab15f876fadb95b8ef204a12f788aa5c1366e2088e47fb7bfe022f67353cba
CryptXXX v2.006
84f3a6961da0e62f23086cd12a2387d794b98ead2b37d383db588ebec134ed95
CryptXXX v2.006
852de24d1d145487c4328dc722854fd0123c2f47ee12c613b1f5bb122f32c1b0
CryptXXX v2.006
85c904aba1b2d9f42f746abd8b93dc8e247362559083429d1338074494a3477b
CryptXXX v2.006
85fb5fccf26ff35e0c5e832d356a1752c0a06d6c00396ba2789c6e091ab41fcb
CryptXXX v2.006
884a1962d1e8d4b0d66414ecdb9daa0654651ea1b2cb625d8d4cdd79f34874f8
CryptXXX v2.006
8877a89cae1486859d4a6c44c688cc9afc2bce08aedcaa1d831633cab2c194cb
CryptXXX v2.006
89581a21d799be7e8fdfc84e8d8ab1d621ec05965dbacfe210b040ce7d263c4d
CryptXXX v2.006
8ac3423b97d9a49249f5efa066a076581c7c0c1ebf8ae9bc9d502b1f4fffdefe
CryptXXX v2.006
8bc3e86de5b8f05c037ccf808c8a6c0e4bc5b493668dbffdfe854c2ed6057e88
CryptXXX v2.006
8cfb790efcb59ea14762894853825e744fafdf48da999cedcf34c3477caf0483
CryptXXX v2.006
8def4590634e14d388faee822be7e21d5256ed900e5bd4c6be7d7f1845c6706d
CryptXXX v2.006
8f43929756b8c35e129183da7960388099581df462ed9dddd61dd3125bf239ce
CryptXXX v2.006
904f425e13c3f0aceda34ae1e118a05999e8423a1e4214fac8567b846f2d6e9b
CryptXXX v2.006
9071b5bd61a32e1ac78ef210cd3cd466568aeb98705f61eb90c28a51e5482253
CryptXXX v2.006
90b940f48cdd8dfa44a03b02c25ec04fed48d764b253f0707e6f288a72888144
CryptXXX v2.006
90cbdab6279440a7f4b3808fb0ab92f90fd7f8986f4e9e535174900aba9f963a
CryptXXX v2.006
919bc35f84a87f35256e097254909538f116a69c49df820b658a5a540657b01c
CryptXXX v2.006
9284486f46c0d1bf6fcd17f66db10f7f3bd2a3fb8d8b48f186aff5abd703b74e
CryptXXX v2.006
92e85b0a3dfa3dfc55cfaa51056b3009b4c908c24034915233149f5ffcae0ab6
CryptXXX v2.006
944c2fd7c6e6bc9ba056621eb4f00b23f17cb72695cd1dd6f5d908d125ce8b92
CryptXXX v2.006
951ccd4e08fbb43e5cd22f82ba1f5f8e094dffe7c10eb7cffac398aa508c39e6
CryptXXX v2.006
99aeb560616f7c6beead980f480bf646490f7b02f6a09c256ea10e837a5d2a55
CryptXXX v2.006
9c66a35ce815c27c6d947decda0c57fb9107e1e460d2bd0a457567b92d8f02a4
CryptXXX v2.006
9dfafb0e38da3b7fb7b4a8a44d3125040b180918c4f1aed89e41a0d8e7aaacc4
CryptXXX v2.006
9ff35f24d8e64114bc9556e14419122a25c494fd0f58419819d99a152c186aa1
CryptXXX v2.006
a033b20e4ab914bab3babfc8ddcac41d32a2253e943462b94443087a07a84a13
CryptXXX v2.006
a3067f35c5910d882cf4a0c359701ec013e1c0e3ec0f85e3508e5f6dc357a6d0
CryptXXX v2.006
a7a7aef5d3ae2fe9f475887b094a1d67ce7687bd284cbbff4d4ccc8c91f431db
CryptXXX v2.006
a7ff0ea0aa36c303eb3cd234b4e10a05856bc79c7284448fd30fc92fa73dd985
CryptXXX v2.006
a9320a99d64280d5054ae05bd7f4e32e51ef97b7f3723923c0c3d6a159c6f78f
CryptXXX v2.006
aa16376e1c3b7031d01911a43109322dcb6bec1e590e5d9d91f2a3d4ea5fba23
CryptXXX v2.006
abfbae6865cd4b88a8789984f5dfff5180354c4282af2b7823de3121a9fa36b7
CryptXXX v2.006
ac930b24c7dc5a72893f7e3131e31623e770cab35506b53b6516520ee5094d86
CryptXXX v2.006
adff9d5654ffa72ce93173014833a11402d1a5fb2c1dfc26634d7daf71cd939e
CryptXXX v2.006
ae6bdddc45fb32322b01ccf9f130c30e54b90d1b2969a8cda87ac9b03d9c1e27
CryptXXX v2.006
b052bb9175fb24a78f12fc886115a2ef4fe41f1d3d299c4173c51e6bf8aa9f6c
CryptXXX v2.006
b48f795b0717ad1ebede18352da340d5640c2cb4ca8aaec6548063b43bbeb9fe
CryptXXX v2.006
b4969ddc0695c36b37940b7dfab55483fe4e5f941aab6614146fa1725471904f
CryptXXX v2.006
b8d12c71c0c6d7d191ab99780357d119b35973010530c9ba05e4cfaed1a90f42
CryptXXX v2.006
bb49103bfa95b074d0004f214d94ba12866227d399237814a2631c3788c24fb7
CryptXXX v2.006
bc1f7d7fbca468bedc028e163ec91521d900e846974ac71993e9908ba8852f7b
CryptXXX v2.006
bcaec4c50df0dc454163158b7811a0c855edfbe1c6ab92bf10f866bb6bfc8203
CryptXXX v2.006
bea1833d9dc56303cdaadbd5f8f64f39a882813da7c73209922bf58ef220da1a
CryptXXX v2.006
bec4a3a48c6b6392ade784e368bda92180b26c663bb7414285ef40c4752da297
CryptXXX v2.006
bff1db5b8e791cca6cc63da07d9218fde521ecca46599a973af55aa22927eb4a
CryptXXX v2.006
c0b7f6a62122072da4e1c29c3a9cebe5a39f2c12b86173a3784427a94ad200fa
CryptXXX v2.006
c0fa3a506fc941520a6b57edad663103391ad46ee51febb1161a9d07ff4ee263
CryptXXX v2.006
c27873c492ce96019a103bc7d5aaf405846dc41cc65b139171ee624c6d35031e
CryptXXX v2.006
c41df74b1214da762b9e682a6f2d08e6c349cdb093d141b8d7c9591f0c1bdb4c
CryptXXX v2.006
c5ec99a6a26ea8fdb236615ef0e86391ee937db7fed0be0e96117b40b5283e93
CryptXXX v2.006
c6dd856a1a8d409282979ae29483a2c43e553696afaaac8b12eb53f808cdbae0
CryptXXX v2.006
c8f00898456bc4e8b7201a8404b60bc49325b9ead9f75ab31b0744a102d1b906
CryptXXX v2.006
c9969f4dee053c0a2102cfef4d15f70c330e84534fec6abd01be2bca0da9aaa5
CryptXXX v2.006
cd595dbfde3eedd6eacaf4ef8f84b6a691b32bf1501b2ef1b2dead78d6ee9029
CryptXXX v2.006
cfee7bee198da177b28c4c9ae15ce6cf81737b297be9978c4e5d726f8282fe87
CryptXXX v2.006
d18e18cbea00bd86297e592b30bca9aa200d0a883236b649ad72f5cb6d24a96a
CryptXXX v2.006
d3a7426fed76a176c37c05723079296f6493d8cace9940951d3943d4f16691b9
CryptXXX v2.006
d4121554cb193932576f3d0b0650ce77536fd5fcda048d7c9d7a59864f59e980
CryptXXX v2.006
d49748f47aa76a2d464b16749dd40290b284dcb2d08a1abd0259286a3453980a
CryptXXX v2.006
d6406c49d4074754590c5dd4ab756c4ee59005c6fa092f2d39aa3533573e2fc7
CryptXXX v2.006
d6ca272ee8ddbd878810e8eb9173835cf54ce56da633fd893063c28e73a69dcd
CryptXXX v2.006
d71ad1ada7a601db025c95cbfa50edaf985f0dd459516bf2906f37b7c960253f
CryptXXX v2.006
d729a04612626023132831c9f028143083b85c568ae7784edcb63bfbc1d59740
CryptXXX v2.006
db006c0662796053e9bdbb4962546cd9e93a37a27222d70fb0d9a5f468929176
CryptXXX v2.006
db333d373158453a2c7b602a0dd792a7745434711f02f8056f0c73ccd103ffb5
CryptXXX v2.006
dc713e3b72537300cbb356940553d91461b01c7ce4a52ae721306195783ceadd
CryptXXX v2.006
df371247860482f8f889d63a2dd8e6c8a2261f5ce62f1b23e6dd1abf3e0404ae
CryptXXX v2.006
e07ff347a27eb18a9863fab951d218dcfec84e19623d8c2826bc0268fdb79450
CryptXXX v2.006
e10befa1a9334510905af507f217cf14fa3f33c19245ac435a688a9cfbfc0424
CryptXXX v2.006
e1d57fcb93ee6d86f53c7bdb1e5fad877cbcf29c939a9b22b412fdbe7258ef8c
CryptXXX v2.006
e22bf15f81a3af153c7670adde6ecc4735fc98587ac3fac132d497490ee5a134
CryptXXX v2.006
e42093d450761a13de73a108124a4266441af935a7ab76c967bca0752aa7cf65
CryptXXX v2.006
e423599e0cc48a61aac2adb93096a24e39ca870430fc4cbb5003f4187faa0d2c
CryptXXX v2.006
e4a404bc544181ca33f6a0bd3516b3d14aa94ba14e470c6836e50ed2057b1cf1
CryptXXX v2.006
e4cc284cfe8770645f3225c56eeb00927dea5013f5404e3685d66e177bb9c522
CryptXXX v2.006
e58f303e3dd817321e47c8e4291ad03c9f83e2d5ddd84371e83db05d76bbe4d8
CryptXXX v2.006
e77fecc5d0f9d17a091e1f2a95763d938f38dbfbd5f316dc2db49eed9af434f4
CryptXXX v2.006
e98933476273d9d9a49cf6f2bb0a9004f138eb2f9d7358c61b666fc2f74b332f
CryptXXX v2.006
ea4f132c1bf7088036390b256b5964d243a551a78b792a2b93a271cbb9ee8932
CryptXXX v2.006
efbdb9b90ddcf73317adfcd3d6964be56c147472c8f27b1069cc992e2560ea53
CryptXXX v2.006
f0ad5f131775fdf9c76742d7941af62f87e8b21670e59e2a9e7d5bae97a5fe04
CryptXXX v2.006
f5c99e16737e6db6de5b0e9379ed084fead9259856db21fb7787a5063fa5fa42
CryptXXX v2.006
f705a10f78e258ec861e53e9ed31217234f15bfdc03fff2c00c339545a22f9c2
CryptXXX v2.006
f70c9c5dbc072b7696b11b5d50f7d440d1a7f34c8782a526f21848dbb71ab23e
CryptXXX v2.006
fb2bfa8256c7a985f5d395af8af33207d36ff8447c60bcd23794386fef205d8f
CryptXXX v2.006
fb3ff63005317c879ca922d8e86ebf6cbb61e8766a4e3cc38ac87ca448af58c4
CryptXXX v2.006
fd40fb3622c6f4f2c746869f889b63b68e9bb553c4d0f3c65b84b13e642a1674
CryptXXX v2.006
ffd6489aa896b8423b420c0d186c5aa1b55cfe05712a4b2a7e9435af50ba5396
CryptXXX v3.0
1830f0ec353f1f50118a8aaebd0fe92f7148719e8be43bae182e100ba6c6ff50
CryptXXX v3.0
236a231c6f852d947deb068e70f37cfed4f8b0f5adfd8ad7a955224e2f79b384
CryptXXX v3.0
2ee11a8a8b657ce211ee449eb2e465c1a38029a180a48f32e4b876a879383e9a
CryptXXX v3.0
4e3f4efec0214a1b83932e10c4af61b4ed568da3105d0cc520576e1d3b7e529e
CryptXXX v3.0
5f0ab67ca970c1db70d195eab5a583ed9114b8afa215337c4711a01afea1b5f2
CryptXXX v3.0
6b0134c8b4d8b346ee96ea502f128feec20407664bbe2dc0e83536627c95649b
CryptXXX v3.0
6f9b97c5374d8634f29e33c5b465ff3c85dbe2302e2684f105446aec0342173f
CryptXXX v3.0
778c259e1388eaae60953c92b55274d7502335c08d14113fd9775c797e3b94ee
CryptXXX v3.0
7cb5c8aebf13b499e24e9564a5f61542873d18a16befdbc3a351851c2200ba27
CryptXXX v3.0
7de6586e31ebbc7ded107686e478a02fcdcdaeb57944153a76d35e2eecd233e4
CryptXXX v3.0
83fc42ddc4d64a26585a5aaf64fd31eb9abf6955818cb9ddc890c0e55cf367fb
CryptXXX v3.0
88a89c748fd1138de9954674bec7ed0ac86e3b28f28f16f48492868820f35c18
CryptXXX v3.0
8db1566c369101175be51ddcfd2a3156b308a7307cf9b445e5a5a536c7ab842a
CryptXXX v3.0
b0a52da5028b35e1d975eec65e0d31a9d93fa4399706eab0d7ac76258e10d664
CryptXXX v3.0
c91a9c5770a8fd75b17e49c0125c45ffd567df93f1fdda27656e61cd980b91c7
CryptXXX v3.0
cad7b946ac67a2178cdb110569caabbea494410be986c999af81216de6aef7e8
CryptXXX v3.0
d430e7d810f1b1b83fbf473b1c10af84608f41889e1f2b5cd305ca94f2e97c67
CryptXXX v3.0
d95cb5a01736761ec76b9b89710f19d800e389331354ec4b51672830ec315d10
CryptXXX v3.0
e5b0a5956095f438ef806d4d13eab6ce6dc5fd3566c28e50d79da49658053760
CryptXXX v3.0
e8f91ce5be4cd96f2deb2b534327b26399e63b76994b61eec31431104daa8de1
CryptXXX v3.0
ec02f6fbe9a8aeedc4ac31fe9dad44130d2c25b185b0afe74740697c1fee7579
CryptXXX v3.0
ee4f57770b7d83d440dadf8f79054cedfd2a72c081c133e3cbffed98729f860e
CryptXXX v3.0
fa3fff2ebd4a7d3e94256946d8c0c29724526c0e8d027b904afb0a9827de5b6f
CryptXXX v3.0
ff829b249df9ddc88eef8293cd25657017514fd7c17c9eefb1062f70bce525c4
 


IP Address
69.64.33.48
217.23.13.153
144.76.82.19
85.25.194.116
93.170.187.64

 

Tags:

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

3 Comments

  1. Great analysis!

    Would you recommend IP blocking to ward off this type of attack or do the C&C servers change so fast it isn't worth the effort?

      Unfortunately blocking the C&C server in the case of CryptXXX would not prevent encryption due to the fact that they are shipping the keys used for encryption with the binary itself, as mentioned in the post. This is not the case, however, with all variants, who typically request a public key from a C&C server. Blocking in that case would prevent encryption.

Share