0.0 Introduction:
In our previous post we discussed the AMP ThreatGrid Research and Efficacy Team’s continuous support for Ransomware attack vectors, generic behavior detection of un-discovered variants, and the creation of behavioral indicators once new variants are identified. In this post we’ll be discussing one of the more prevalent variants to surface in the wake of TeslaCrypt’s death: CryptXXX.
CryptXXX has been notably dropped by Angler and Neutrino exploit kits in recent months and continues to evolve. This post provides a technical deep dive that discusses CryptXXX’s obfuscation, execution, and evolving cryptographic mechanisms. We will then discuss AMP ThreatGrid’s detection of this threat.
1.0 Unpacking:
During the initial analysis of the v2.006 binary we found it peculiar that an entry-point was being provided that did not exist in the packed PE, but when providing an entry-point that we observed during dynamic analysis (a subsequent call to the same DLL with a new entry point was being made with rundll32.exe) the binary executed properly. The reason that this can occur is that the DLL entry-point (in this case the unpacking stub) is called regardless of the provided entry-point each run, which in turn can replace the PE image with that of the unpacked code containing the malicious entry-point for core functionality, which is then looked up and subsequently called by rundll32.exe. The following is an example of the packed entry-point “MXS1” being called that was observed during dynamic analysis:
Figure 1.0: Packed entry-point being called during dynamic analysis
Figure 2.0: Depiction of DLL overwrite process exposing entry-point to jump to.
While observing the unpacking code for v2.006 and setting a breakpoint on VirtualAlloc we found that a PE header was being referenced by a registry in memory:
Figure 3.0: Registry reference to PE and MZ header in memory on call to VirtualAlloc
Jumping to this address we can see that it is indeed a PE header:
Figure 4.0: PE header at memory location pointed to by registry
Dumping this and removing preceding bytes leading up to the MZ header yields a clean PE, which can be disassembled accordingly.
CryptXXX v 3.0 has similar unpacking functionality, but requires a few extra steps. A simple approach to unpacking this sample is knowing an API function that is called once the file is fully unpacked, observing where it is being called from, and finally attempting to retrieve the image that is being written to the memory layout once it is fully unpacked. Since they are calling CreateProcessW to spawn multiple instances of rundll32.exe to load this DLL we can set a hardware breakpoint on the entry-point of this function with a debugger. Once the breakpoint is hit, we know we are in unpacked code (this will not always be the case for all malware samples), and from the call to this API we can see the address we are returning into, and therefore what segment contains unpacked code:
Figure 5.0: Registry reference to PE and MZ header in memory on call to VirtualAlloc
If we open the memory layout we can see that this is the CODE segment that is in memory when the DLL is initially loaded. If we restart the execution and set a memory write breakpoint on this segment we break on a section that is writing a value within ECX into our code segment:
Figure 6.0: Writing value of ECX into CODE segment
This value appears to be a memory address, and if we jump to this address, it is indeed valid. If we navigate to the top of the segment, and search for a common PE term we can find a PE header, we can dump and remove residual bytes leading up to the MZ header for a valid PE:
Figure 7.0: Search result for common PE header term
2.0 Obfuscation
2.1 String Obfuscation
Upon opening the binary in a disassembler it is very apparent that strings used throughout the binary are obfuscated, but are all are being set as the second parameter to a single function:
Figure 8.0: Obfuscated string references
For each call made to the function, one of the parameters happens to be 0xE. In this instance the binary happens to be a Borland Delphi executable, which makes use of the Borland Fastcall calling convention, which uses EAX for the first parameter being passed to a function. Considering how often XOR encryption is used for obfuscation, let’s check for this first:
Figure 9.0: De-obfuscation of XOR encoded data using Interactive Ruby Shell
Using the Interactive Ruby Shell we XOR each byte in the obfuscated string with 0xE, which in turn gives us a valid output. In this case it appears that they are looking for avp.exe, a Kaspersky anti-virus process, in memory. In order to apply this de-obfuscation routine to every obfuscated string referencing this function we can use IDAPython. The following script will satisfy our needs:
Figure 10.0: IDAPython for automated de-obfuscation of strings
We can loop through all cross-references to the de-obfuscation function (in this case 0x9CDC74), get the address of each obfuscated string, de-obfuscate it, and comment the string address and each call to the de-obfuscation function with the resulting string.
Figure 11.0: Resulting string comments from IDA Python de-obfuscation script
As seen from the above de-obfuscated strings, the ransom note is shipped with the binary itself, unlike other variants that reach out to Command and Control servers to fetch the ransomware notes and other content.
2.2 Command and Control IP Addresses
Throughout the analysis there are multiple references to the ‘send’ socket API, and on checking cross-references to this function there are calls to setup the socket and sockaddr objects for the connection which are passed the result of another call:
Figure 12.0: Network connection functions
This function is provided a large integer value (0x990D17D9) in network byte order and a pointer argument that points to a resulting IP address. The function derives the IP address from this integer value by iterating over each byte in memory, turning its numeric representation into a string, and concatenating the result with ‘.’. This is not technically obfuscation, but the IP addresses are not immediately apparent during initial phases of analysis. These values can be converted in the following manner using C:
Figure 13.0: C code for deriving IP address from integer value
Which in this case produces 217.23.13.153, which when searched for in AMP ThreatGrid we can see all samples that have reached out to this IP address:
Figure 14.0: Search results for IP address in AMP ThreatGrid
If we navigate to the entity page for this IP address we can see this has also been tagged by the Snort side system that the Research & Efficacy Team has created to process all network traffic associated with the sample analysis.
Figure 15.0: IP address entity page in AMP ThreatGrid
These tags identify that this IP address has been used by traffic matching CryptXXX.
3.0 Execution
As mentioned, CryptXXX makes heavy use of packed entry points to perform different tasks, separating the overall execution flow into multiple spawned processes of a copied version of rundll32.exe. In v2.006 rundll32.exe is copied to the current location of the executing binary, and is renamed svchost.exe. In v3.0 it copies the executable but does not rename it. After the unpacking stub finishes, the unpacked entry-point will be executed and check what executable it is being executed from, if it does not correspond to the respective copied name (svchost.exe, or rundll32.exe) it will execute the ‘setup’ entry-point (in the case of v2.006 MS111, and v3.0 MXS0) that initiates the execution flow, whose process tree ends up looking like this:
Figure 16.0: Example resulting execution tree for CryptXXX
For this post we will be analyzing the execution path that performs the encryption of files.
4.0 Encryption
CryptXXX targets a subset of file extensions to encrypt, which are searched for recursively throughout the system. These extensions are de-obfuscated using the same XOR routine, and are passed off for encryption. These include:
.3DM, .3DS, .7Z, .ACCDB, .AES, .AI, .APK, .APP, .ARC, .ASC, .ASM, .ASP, .ASPX, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FRM, .GADGET, .GBK, .GBR, .GED, .GPG, .GPX, .GZ, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .INDD, .JAR, .JAVA, .JKS, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .MAX, .MDB, .MDF, .MFD, .MML, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVATE, .PS, .PSD, .PY, .QCOW2, .RAR, .RAW, .RSS, .RTF, .SCH, .SDF, .SH, .SITX, .SLDX, .SLK, .SLN, .SQL, .SQLITE3, .SQLITEDB, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .SXM, .SXW, .TAR, .TBK, .TEX, .TGZ, .TLB, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPROJ, .VDI, .VMDK, .VMX, .WKS, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .ZIP, .ZIPX, 3G2, .3GP, .AIF, .ASF, .ASX, .AVI, .BMP, .DDS, .FLV, .GIF, .IFF, .JPG, .M3U, .M4A, .M4V, .MID, .MKV, .MOV, .MP3, .MP4, .MPA, .MPG, .PNG, .PSPIMAGE, .RA, .RM, .SRT, .TGA, .THM, .TIF, .TIFF, .TMP, .VOB, .WAV, .WMA, .WMV, .YUV
For version 2.006 “MS112” is the entry-point that performs the encryption operations, while “MXS1” is used for version 3.0.
4.1 Key Generation Algorithm
4.1.1 Seed Generation
The following algorithm is used for the initial seed generation (System::Random(void)), as you can see it is purely based on the current system time:
Figure 17.0: CryptXXX seed generation algorithm
ds:RandSeed is referenced by Delphi’s RandInt() for all ‘randomized’ operations:
Figure 18.0: CryptXXX RandSeed function that provides pseudo-random values
RandSeed is based on a linear congruential generator, which was found based on the constant used 8088405h: https://en.wikipedia.org/wiki/Linear_congruential_generator
4.1.2 Key Generation & Encryption
The following algorithm generates a 64-byte ASCII key:
Figure 19.0: CryptXXX key generation algorithm
It is important to make note that they’re requesting a new seed for every new file encrypted and that seed is based purely on system time, which is then used to seed RandInt that is called for the generation of each part of this key (more on this later).
This key is then used within a key scheduling algorithm to create a key stream that is similar to RC4. The following code is a re-implementation of the key scheduling algorithm in C:
Figure 20.0: CryptXXX key stream generation algorithm
Finally, once the key stream is created, it is used to encrypt the data blob provided:
Figure 21.0: CryptXXX encryption algorithm
A public key that is shipped with the binary is then used to encrypt the generated key, and the resulting ciphertext is then appended to the encrypted file:
Figure 22.0: Encryption of generated key using shipped public key
4.1.3 CryptXXX v3.0 Encryption Changes
A number of changes to encryption scheme were made for v3.0 of CryptXXX. The first is network share enumeration and encryption:
Figure 23.0: CryptXXX v. 3.0 network share enumeration for encryption
The second is the RC4 related encryption algorithm is no longer used as the primary encryption vector (likely due to having a number of crypto flaws) and the embedded public encryption key that is shipped with the binary and decoded using the same XOR obfuscation, is used instead. This makes decryption of files extremely difficult:
Figure 24.0: CryptXXX 3.0 public key encryption
The resulting ciphertext is then encrypted using the same RC4 related algorithm from v2.006. This may indicate that a solution was ‘hacked together’ for release of a version that could not be decrypted, as this step seems unnecessary.
4.2.0 Breaking Encryption in v2.006
CryptXXX <= v2.006 are publicly known to be broken, and Kaspersky has released a publicly available decryptor for them. Although they have not publicly spoken about their decryption methods, one method of attack against this CryptXXX encryption scheme is their insecure seed generation algorithm. Since it is based on system time, it may be possible to brute force portions of the seed very quickly.
4.2.1 Seed Leak Resulting in Quick Brute-Force
Initially we investigated the possibility of recovering potential seed data based on the write times of the encrypted files, however, CryptXXX will restore the original write/modification times of the affected file. We then noticed that a ransom note is written to a given directory once all targeted file types within said directory have been encrypted. What this provides is leaked seed data, since the modification time stamp of the ransom note should be close to what is returned by get_seed()’s GetSystemTime() call. What we’re left with is a known SYSTEMTIME.wHour, a potentially known SYSTEMTIME.wMinute, and since encryption still takes some time we will have to brute-force the remaining SYSTEMTIME.wSecond (0-59), and SYSTEMTIME.wMillisecond (0-999). Given the worst case scenario for discovering these two values is 60*1000 we are given up to 60,000 operations to perform, given that we have the correct minute from the ransom note.
4.2.2 Decryption PoC
We’ve provided PoC code that will decrypt a given file solely based on the last modified time-stamp of a the dropped ransom note by attempting to decrypt the first four bytes of a file’s magic with a generated key based on the current SYSTEMTIME.wSecond, and SYSTEMTIME.wMillisecond being brute-forced:
Figure 25.0: CryptXXX brute force ms and s PoC
Once the given magic is found (which in turn means that the key has been recovered) then the file is decrypted in its entirety. The following is an example of the PoC’s output:
Figure 26.0: Decryption PoC output example
5.0 AMP ThreatGrid Coverage
As mentioned in our previous blog post, AMP ThreatGrid has a number of generic ransomware indicators used to detect new variants that are being released daily, and targeted behavioral indicators used to detect the ever growing variants of CryptXXX.
Figure 27.0: CryptXXX 3.0 report in AMP ThreatGrid
With the rapid development of ransomware variants that are continuously being released on a weekly basis, AMP ThreatGrid provides an automated platform for identifying, and classifying variants. Intelligence from this platform is continuously fed back into the AMP ecosystem providing protection to Cisco customers.
6.0 The Road Ahead
Unfortunately due to changes made by CryptXXX authors in versions >= 3.0 it is no longer possible to decrypt CryptXXX using these methods. The most effective way of combatting CryptXXX and Ransomware is prevention of infection through a layered approach to security including reliable backup practices. There are also many ways of preventing the initial infection vectors through enabling click-to-play functionality of common plugins that run the risk of becoming outdated or are commonly prone to in-the-wild exploitation through exploit kits such as Angler. Educating users to not open ZIP, javascript, or macro-enabled documents (especially those that request the enabling of such content) can also assist in prevention of Ransomware infections within your organization.
7.0 Indicators
Version |
SHA256 |
|---|---|
CryptXXX v2.006 |
00010d394c06533d58f021115d7bde815b5daf498fe2659980bf1cc337fda3fc |
CryptXXX v2.006 |
03add73b979c9eaeef3aad8aa6a75b7abe40b3ea9fa4a57ccdd74db5dbaaa252 |
CryptXXX v2.006 |
046215078fa5284346081207c9eff133a47d6af9be570f1a4f6dc42ae622aab8 |
CryptXXX v2.006 |
04cc79fbf6e6d82b3e37e302e6d4306b42432f28829e9bbf2102150f78cc2e44 |
CryptXXX v2.006 |
0740f96742c9500d52a14b2ef007b390fccbdcb0658b82082d525b1d9864c2c6 |
CryptXXX v2.006 |
0886883282ddd1ae4553b99915baa7c294f5ef3ff9700c72f847db77c60a3f38 |
CryptXXX v2.006 |
09b6352cc56c64919d9b3661c8d23876b17c4d940581234cb18f7124e1f9087b |
CryptXXX v2.006 |
0a1dde60c72e5f1cf0286dd57e3b683f61aec132ce7db7678e806c9a2b3f1a3c |
CryptXXX v2.006 |
0cbc3b3019ae908abbbd80fa3e7c6d455e4ae576d4e8f9fe6fe986741ee47d03 |
CryptXXX v2.006 |
0d3f21fbed73b75534683f1230dd7e13a344f22a0bf31b2fb203daf5d6e02bbb |
CryptXXX v2.006 |
0dd37f0cf661b6735c54ba8e76a40d3647de90469087ce4cc4975eb4c72af120 |
CryptXXX v2.006 |
0e4e5a3763d9aa4ba19ccdd1409b77f683c81f72e54423b8c2a02034a311444a |
CryptXXX v2.006 |
135abc2fbfca8b577028b0c220cef9c98f4580f9d310cae7fb4f8b28ac261119 |
CryptXXX v2.006 |
143a9486579b75bacde9a1e592071fb0dcb5e0f921bc4c2649c5709075008d30 |
CryptXXX v2.006 |
16366a9a6fa27e41a629f5bd7971e60bb7110e08cd3b82eb25a08023ccbc6483 |
CryptXXX v2.006 |
16b196d1bf2652ebfa44f3301bf0b6a370d0c629a53808be86eb583c852ae650 |
CryptXXX v2.006 |
16d75d3df201d9a341f5e9ca1e38c41fda9bc3b263f5a1ab59b6632cd3b03a60 |
CryptXXX v2.006 |
1c20f93c4d175bea26515101a351c1f877b0b8620ec4d1db3b88ea15c42ea7cf |
CryptXXX v2.006 |
1cf3f27bc136b2535dec72a12116fba1a0c57f21a08ea27499f9771de281af3f |
CryptXXX v2.006 |
1d45efc7c00d3d34c02f35c2f0f9401445f674f489ab0fb156b147789dd9945e |
CryptXXX v2.006 |
20e1d6dc6853aefde5068d3dfeec0e60796966c32b08e9065319f5b92139303a |
CryptXXX v2.006 |
259c76d43148070c729837e2598347a50981b32f431300cc4fafc41437f988f2 |
CryptXXX v2.006 |
271ea8b6b7eea798842fae9bbd0d06ad1d58ad515d82d1b58da0585c38765909 |
CryptXXX v2.006 |
27819abb4e9fd6c86cacfa97ca21a0f5749380dc602caed986063dd256e2d1ce |
CryptXXX v2.006 |
2d888d5340a7d3c6ad69cd95b849a829dbb6c4952300ea3c73a73833e70cb25e |
CryptXXX v2.006 |
2dc4c0273d98668ddac7d66f337822f6188a138931c2ea61fcb2a713577618d5 |
CryptXXX v2.006 |
31e26c5a6e07b9b221e650d7c2c42acb71169ef94d2d08080008bd4d3e6c0029 |
CryptXXX v2.006 |
31e58f599ff114191ee59665e27a5eb82e9d7e0023021beb453416530e455dae |
CryptXXX v2.006 |
3cdb3544f00ea9507b1f28402ffbdd2ef75e46a6e176dfab5c7c9be3215dc7c7 |
CryptXXX v2.006 |
403ec0d80ab65da07927605010c4d5b62a2ae388ecaebf50ee90b7567504c44e |
CryptXXX v2.006 |
416918f81dc4b6d708c6de86b1cc7d4f9872376c385480b3e031f1080af4d354 |
CryptXXX v2.006 |
427c9d7a6831588deae6719de264aa0bd556174292ba29885d42b78328f431a3 |
CryptXXX v2.006 |
4322be54af5557b4171fcc61d5c0426f6556983322cee8360a6244f7a669c10a |
CryptXXX v2.006 |
44a44c24cb6495b4dca03a0a0e5d7716e6af1b37f390d25c344dabd7517663e5 |
CryptXXX v2.006 |
46e8328de0f30d3a673b71681e4cbfc28f921719a61ce87301fd86181b13c9e7 |
CryptXXX v2.006 |
4ab84b3083e382f875d605e1dbdafcad028935b6437fd9ddc40b37d5ba31d171 |
CryptXXX v2.006 |
4aeead8a128ea58c611e14496379a198beecb7bb8f5698d7d379be0fc271479e |
CryptXXX v2.006 |
4c2398adb49020f7a98b813c8ddc2244972f11be999c46dacac779f44993f6cf |
CryptXXX v2.006 |
4cc5eb93eebfacb2752d42804b4acec2ac8bb150b7a7bb9e624f062908c79734 |
CryptXXX v2.006 |
4d729b1b8024ba4ed5262d5811fac4925ae3f54ed7d0adc4ffeb169dddd4c510 |
CryptXXX v2.006 |
4df47b25fe1189755ba6447215c5afded02b31e86f33315f429fdb2927817ce5 |
CryptXXX v2.006 |
4eaea066dd08c122cd6923d161b951befbcedff79d5e45af3f9481fbc934f5b6 |
CryptXXX v2.006 |
4ef30f114adb24878c73a9e58dbf3cec5d31f3267be6357dc9d6fe016a658fb9 |
CryptXXX v2.006 |
502933afdf8b979b9f31fc7a6f36ba330a6a0f56d3005ac02ac27a86f88f234f |
CryptXXX v2.006 |
51b7dac0cde40daa7d0f046b3351a5e771202a1b8eccdf6d5eeb9da17f55597b |
CryptXXX v2.006 |
51ee64957427b52a785fae0c633374332d2da52b2585bae3611f9c3791efd0a8 |
CryptXXX v2.006 |
520efc6eacef202ba3ab7971ce617f799a49ec36ea471f059346e2f1eaa50abe |
CryptXXX v2.006 |
527594e383dad5dc8dae285f56d55b68c0755e93f066277b076daa92bbdab9d6 |
CryptXXX v2.006 |
5778898744d6032d92b0efe569205edb8eab16debdceac965d73593e217c0aca |
CryptXXX v2.006 |
59e65814bd09c264a71ceb705bb216e979eb880bd251fc4ac75bc3b7d1d4b811 |
CryptXXX v2.006 |
5d12943f1d4f7acb8ac10842d77c85dd91c3a11a3c3e228f5bb726f9d6879894 |
CryptXXX v2.006 |
5d57302419d55ab491c542008cab8af0ff8302a3e8ba9b92ea02a41ee3ff43b8 |
CryptXXX v2.006 |
5f1ea5bafc748349d639d10df6fb6319ca11a0b681b448ccbd95fc87fe595d49 |
CryptXXX v2.006 |
5f73a917184ea302872be402c84f072047ff701d070e3944d971c612a277068d |
CryptXXX v2.006 |
65e325b662197eb703dd73487d1608d439f447e331d3b2ccc7275ee79a2244fd |
CryptXXX v2.006 |
694959f7125440166166463b6dc5e3a14e7c3eccf73e8d482d6bddaf09640350 |
CryptXXX v2.006 |
6ae29650bc628615401f9e3c48573ab7ecf7314c2f26aa1354c0f0b05d10b64d |
CryptXXX v2.006 |
6c68fa24e88d7513b633bc355f5b7458949e8c65483b04b2d5b76c3bf6de7b15 |
CryptXXX v2.006 |
6e537cb179a41e1e9dd7579effd28fcd8d35ede0b52321656dbfd0f49c153ae1 |
CryptXXX v2.006 |
6f57e785aada126bf5262f8478e6a13ce624d494c1381105853a753649940dda |
CryptXXX v2.006 |
6f79e9b511109233556d46e720eaca3b59a751f1fabdf37a3657e22e6c59eef8 |
CryptXXX v2.006 |
6fb8b2093af1d804be3a583683d7dd7fe7fae9561291ff796c4a65480c19f6d9 |
CryptXXX v2.006 |
75a4b04736f979e6e13abacbf617b71ae69a4448311e754b086509110f092208 |
CryptXXX v2.006 |
778d4144dbed9cf3d1880cddbd8ef70fefa11d8e6f67363c21c0476f8f3cd0ba |
CryptXXX v2.006 |
7a3d34ea59b089f04c49fccea67696b81990512e91cf155baa0ed805f0ae566b |
CryptXXX v2.006 |
7cc406d9d532c82607c6e06da5da549b05b91e23edb756c70f1f52572337c63b |
CryptXXX v2.006 |
7e4d8633df7cdf993f91774905427994354b9b43312a53765f56fee401d62f5f |
CryptXXX v2.006 |
82695a9a04ff75cedad32114a3dbea5b1ff7f5b0a5f3554e7b1bd7d68c5779fc |
CryptXXX v2.006 |
8273ed121aea7dab0b07fe42eb303d3adcf23cc3001940579166f0c87b25e59f |
CryptXXX v2.006 |
831168e4ac5d3446abbdb0a92cf23d81e884325f6b6fb7edb3c0c33b8740c133 |
CryptXXX v2.006 |
84ab15f876fadb95b8ef204a12f788aa5c1366e2088e47fb7bfe022f67353cba |
CryptXXX v2.006 |
84f3a6961da0e62f23086cd12a2387d794b98ead2b37d383db588ebec134ed95 |
CryptXXX v2.006 |
852de24d1d145487c4328dc722854fd0123c2f47ee12c613b1f5bb122f32c1b0 |
CryptXXX v2.006 |
85c904aba1b2d9f42f746abd8b93dc8e247362559083429d1338074494a3477b |
CryptXXX v2.006 |
85fb5fccf26ff35e0c5e832d356a1752c0a06d6c00396ba2789c6e091ab41fcb |
CryptXXX v2.006 |
884a1962d1e8d4b0d66414ecdb9daa0654651ea1b2cb625d8d4cdd79f34874f8 |
CryptXXX v2.006 |
8877a89cae1486859d4a6c44c688cc9afc2bce08aedcaa1d831633cab2c194cb |
CryptXXX v2.006 |
89581a21d799be7e8fdfc84e8d8ab1d621ec05965dbacfe210b040ce7d263c4d |
CryptXXX v2.006 |
8ac3423b97d9a49249f5efa066a076581c7c0c1ebf8ae9bc9d502b1f4fffdefe |
CryptXXX v2.006 |
8bc3e86de5b8f05c037ccf808c8a6c0e4bc5b493668dbffdfe854c2ed6057e88 |
CryptXXX v2.006 |
8cfb790efcb59ea14762894853825e744fafdf48da999cedcf34c3477caf0483 |
CryptXXX v2.006 |
8def4590634e14d388faee822be7e21d5256ed900e5bd4c6be7d7f1845c6706d |
CryptXXX v2.006 |
8f43929756b8c35e129183da7960388099581df462ed9dddd61dd3125bf239ce |
CryptXXX v2.006 |
904f425e13c3f0aceda34ae1e118a05999e8423a1e4214fac8567b846f2d6e9b |
CryptXXX v2.006 |
9071b5bd61a32e1ac78ef210cd3cd466568aeb98705f61eb90c28a51e5482253 |
CryptXXX v2.006 |
90b940f48cdd8dfa44a03b02c25ec04fed48d764b253f0707e6f288a72888144 |
CryptXXX v2.006 |
90cbdab6279440a7f4b3808fb0ab92f90fd7f8986f4e9e535174900aba9f963a |
CryptXXX v2.006 |
919bc35f84a87f35256e097254909538f116a69c49df820b658a5a540657b01c |
CryptXXX v2.006 |
9284486f46c0d1bf6fcd17f66db10f7f3bd2a3fb8d8b48f186aff5abd703b74e |
CryptXXX v2.006 |
92e85b0a3dfa3dfc55cfaa51056b3009b4c908c24034915233149f5ffcae0ab6 |
CryptXXX v2.006 |
944c2fd7c6e6bc9ba056621eb4f00b23f17cb72695cd1dd6f5d908d125ce8b92 |
CryptXXX v2.006 |
951ccd4e08fbb43e5cd22f82ba1f5f8e094dffe7c10eb7cffac398aa508c39e6 |
CryptXXX v2.006 |
99aeb560616f7c6beead980f480bf646490f7b02f6a09c256ea10e837a5d2a55 |
CryptXXX v2.006 |
9c66a35ce815c27c6d947decda0c57fb9107e1e460d2bd0a457567b92d8f02a4 |
CryptXXX v2.006 |
9dfafb0e38da3b7fb7b4a8a44d3125040b180918c4f1aed89e41a0d8e7aaacc4 |
CryptXXX v2.006 |
9ff35f24d8e64114bc9556e14419122a25c494fd0f58419819d99a152c186aa1 |
CryptXXX v2.006 |
a033b20e4ab914bab3babfc8ddcac41d32a2253e943462b94443087a07a84a13 |
CryptXXX v2.006 |
a3067f35c5910d882cf4a0c359701ec013e1c0e3ec0f85e3508e5f6dc357a6d0 |
CryptXXX v2.006 |
a7a7aef5d3ae2fe9f475887b094a1d67ce7687bd284cbbff4d4ccc8c91f431db |
CryptXXX v2.006 |
a7ff0ea0aa36c303eb3cd234b4e10a05856bc79c7284448fd30fc92fa73dd985 |
CryptXXX v2.006 |
a9320a99d64280d5054ae05bd7f4e32e51ef97b7f3723923c0c3d6a159c6f78f |
CryptXXX v2.006 |
aa16376e1c3b7031d01911a43109322dcb6bec1e590e5d9d91f2a3d4ea5fba23 |
CryptXXX v2.006 |
abfbae6865cd4b88a8789984f5dfff5180354c4282af2b7823de3121a9fa36b7 |
CryptXXX v2.006 |
ac930b24c7dc5a72893f7e3131e31623e770cab35506b53b6516520ee5094d86 |
CryptXXX v2.006 |
adff9d5654ffa72ce93173014833a11402d1a5fb2c1dfc26634d7daf71cd939e |
CryptXXX v2.006 |
ae6bdddc45fb32322b01ccf9f130c30e54b90d1b2969a8cda87ac9b03d9c1e27 |
CryptXXX v2.006 |
b052bb9175fb24a78f12fc886115a2ef4fe41f1d3d299c4173c51e6bf8aa9f6c |
CryptXXX v2.006 |
b48f795b0717ad1ebede18352da340d5640c2cb4ca8aaec6548063b43bbeb9fe |
CryptXXX v2.006 |
b4969ddc0695c36b37940b7dfab55483fe4e5f941aab6614146fa1725471904f |
CryptXXX v2.006 |
b8d12c71c0c6d7d191ab99780357d119b35973010530c9ba05e4cfaed1a90f42 |
CryptXXX v2.006 |
bb49103bfa95b074d0004f214d94ba12866227d399237814a2631c3788c24fb7 |
CryptXXX v2.006 |
bc1f7d7fbca468bedc028e163ec91521d900e846974ac71993e9908ba8852f7b |
CryptXXX v2.006 |
bcaec4c50df0dc454163158b7811a0c855edfbe1c6ab92bf10f866bb6bfc8203 |
CryptXXX v2.006 |
bea1833d9dc56303cdaadbd5f8f64f39a882813da7c73209922bf58ef220da1a |
CryptXXX v2.006 |
bec4a3a48c6b6392ade784e368bda92180b26c663bb7414285ef40c4752da297 |
CryptXXX v2.006 |
bff1db5b8e791cca6cc63da07d9218fde521ecca46599a973af55aa22927eb4a |
CryptXXX v2.006 |
c0b7f6a62122072da4e1c29c3a9cebe5a39f2c12b86173a3784427a94ad200fa |
CryptXXX v2.006 |
c0fa3a506fc941520a6b57edad663103391ad46ee51febb1161a9d07ff4ee263 |
CryptXXX v2.006 |
c27873c492ce96019a103bc7d5aaf405846dc41cc65b139171ee624c6d35031e |
CryptXXX v2.006 |
c41df74b1214da762b9e682a6f2d08e6c349cdb093d141b8d7c9591f0c1bdb4c |
CryptXXX v2.006 |
c5ec99a6a26ea8fdb236615ef0e86391ee937db7fed0be0e96117b40b5283e93 |
CryptXXX v2.006 |
c6dd856a1a8d409282979ae29483a2c43e553696afaaac8b12eb53f808cdbae0 |
CryptXXX v2.006 |
c8f00898456bc4e8b7201a8404b60bc49325b9ead9f75ab31b0744a102d1b906 |
CryptXXX v2.006 |
c9969f4dee053c0a2102cfef4d15f70c330e84534fec6abd01be2bca0da9aaa5 |
CryptXXX v2.006 |
cd595dbfde3eedd6eacaf4ef8f84b6a691b32bf1501b2ef1b2dead78d6ee9029 |
CryptXXX v2.006 |
cfee7bee198da177b28c4c9ae15ce6cf81737b297be9978c4e5d726f8282fe87 |
CryptXXX v2.006 |
d18e18cbea00bd86297e592b30bca9aa200d0a883236b649ad72f5cb6d24a96a |
CryptXXX v2.006 |
d3a7426fed76a176c37c05723079296f6493d8cace9940951d3943d4f16691b9 |
CryptXXX v2.006 |
d4121554cb193932576f3d0b0650ce77536fd5fcda048d7c9d7a59864f59e980 |
CryptXXX v2.006 |
d49748f47aa76a2d464b16749dd40290b284dcb2d08a1abd0259286a3453980a |
CryptXXX v2.006 |
d6406c49d4074754590c5dd4ab756c4ee59005c6fa092f2d39aa3533573e2fc7 |
CryptXXX v2.006 |
d6ca272ee8ddbd878810e8eb9173835cf54ce56da633fd893063c28e73a69dcd |
CryptXXX v2.006 |
d71ad1ada7a601db025c95cbfa50edaf985f0dd459516bf2906f37b7c960253f |
CryptXXX v2.006 |
d729a04612626023132831c9f028143083b85c568ae7784edcb63bfbc1d59740 |
CryptXXX v2.006 |
db006c0662796053e9bdbb4962546cd9e93a37a27222d70fb0d9a5f468929176 |
CryptXXX v2.006 |
db333d373158453a2c7b602a0dd792a7745434711f02f8056f0c73ccd103ffb5 |
CryptXXX v2.006 |
dc713e3b72537300cbb356940553d91461b01c7ce4a52ae721306195783ceadd |
CryptXXX v2.006 |
df371247860482f8f889d63a2dd8e6c8a2261f5ce62f1b23e6dd1abf3e0404ae |
CryptXXX v2.006 |
e07ff347a27eb18a9863fab951d218dcfec84e19623d8c2826bc0268fdb79450 |
CryptXXX v2.006 |
e10befa1a9334510905af507f217cf14fa3f33c19245ac435a688a9cfbfc0424 |
CryptXXX v2.006 |
e1d57fcb93ee6d86f53c7bdb1e5fad877cbcf29c939a9b22b412fdbe7258ef8c |
CryptXXX v2.006 |
e22bf15f81a3af153c7670adde6ecc4735fc98587ac3fac132d497490ee5a134 |
CryptXXX v2.006 |
e42093d450761a13de73a108124a4266441af935a7ab76c967bca0752aa7cf65 |
CryptXXX v2.006 |
e423599e0cc48a61aac2adb93096a24e39ca870430fc4cbb5003f4187faa0d2c |
CryptXXX v2.006 |
e4a404bc544181ca33f6a0bd3516b3d14aa94ba14e470c6836e50ed2057b1cf1 |
CryptXXX v2.006 |
e4cc284cfe8770645f3225c56eeb00927dea5013f5404e3685d66e177bb9c522 |
CryptXXX v2.006 |
e58f303e3dd817321e47c8e4291ad03c9f83e2d5ddd84371e83db05d76bbe4d8 |
CryptXXX v2.006 |
e77fecc5d0f9d17a091e1f2a95763d938f38dbfbd5f316dc2db49eed9af434f4 |
CryptXXX v2.006 |
e98933476273d9d9a49cf6f2bb0a9004f138eb2f9d7358c61b666fc2f74b332f |
CryptXXX v2.006 |
ea4f132c1bf7088036390b256b5964d243a551a78b792a2b93a271cbb9ee8932 |
CryptXXX v2.006 |
efbdb9b90ddcf73317adfcd3d6964be56c147472c8f27b1069cc992e2560ea53 |
CryptXXX v2.006 |
f0ad5f131775fdf9c76742d7941af62f87e8b21670e59e2a9e7d5bae97a5fe04 |
CryptXXX v2.006 |
f5c99e16737e6db6de5b0e9379ed084fead9259856db21fb7787a5063fa5fa42 |
CryptXXX v2.006 |
f705a10f78e258ec861e53e9ed31217234f15bfdc03fff2c00c339545a22f9c2 |
CryptXXX v2.006 |
f70c9c5dbc072b7696b11b5d50f7d440d1a7f34c8782a526f21848dbb71ab23e |
CryptXXX v2.006 |
fb2bfa8256c7a985f5d395af8af33207d36ff8447c60bcd23794386fef205d8f |
CryptXXX v2.006 |
fb3ff63005317c879ca922d8e86ebf6cbb61e8766a4e3cc38ac87ca448af58c4 |
CryptXXX v2.006 |
fd40fb3622c6f4f2c746869f889b63b68e9bb553c4d0f3c65b84b13e642a1674 |
CryptXXX v2.006 |
ffd6489aa896b8423b420c0d186c5aa1b55cfe05712a4b2a7e9435af50ba5396 |
CryptXXX v3.0 |
1830f0ec353f1f50118a8aaebd0fe92f7148719e8be43bae182e100ba6c6ff50 |
CryptXXX v3.0 |
236a231c6f852d947deb068e70f37cfed4f8b0f5adfd8ad7a955224e2f79b384 |
CryptXXX v3.0 |
2ee11a8a8b657ce211ee449eb2e465c1a38029a180a48f32e4b876a879383e9a |
CryptXXX v3.0 |
4e3f4efec0214a1b83932e10c4af61b4ed568da3105d0cc520576e1d3b7e529e |
CryptXXX v3.0 |
5f0ab67ca970c1db70d195eab5a583ed9114b8afa215337c4711a01afea1b5f2 |
CryptXXX v3.0 |
6b0134c8b4d8b346ee96ea502f128feec20407664bbe2dc0e83536627c95649b |
CryptXXX v3.0 |
6f9b97c5374d8634f29e33c5b465ff3c85dbe2302e2684f105446aec0342173f |
CryptXXX v3.0 |
778c259e1388eaae60953c92b55274d7502335c08d14113fd9775c797e3b94ee |
CryptXXX v3.0 |
7cb5c8aebf13b499e24e9564a5f61542873d18a16befdbc3a351851c2200ba27 |
CryptXXX v3.0 |
7de6586e31ebbc7ded107686e478a02fcdcdaeb57944153a76d35e2eecd233e4 |
CryptXXX v3.0 |
83fc42ddc4d64a26585a5aaf64fd31eb9abf6955818cb9ddc890c0e55cf367fb |
CryptXXX v3.0 |
88a89c748fd1138de9954674bec7ed0ac86e3b28f28f16f48492868820f35c18 |
CryptXXX v3.0 |
8db1566c369101175be51ddcfd2a3156b308a7307cf9b445e5a5a536c7ab842a |
CryptXXX v3.0 |
b0a52da5028b35e1d975eec65e0d31a9d93fa4399706eab0d7ac76258e10d664 |
CryptXXX v3.0 |
c91a9c5770a8fd75b17e49c0125c45ffd567df93f1fdda27656e61cd980b91c7 |
CryptXXX v3.0 |
cad7b946ac67a2178cdb110569caabbea494410be986c999af81216de6aef7e8 |
CryptXXX v3.0 |
d430e7d810f1b1b83fbf473b1c10af84608f41889e1f2b5cd305ca94f2e97c67 |
CryptXXX v3.0 |
d95cb5a01736761ec76b9b89710f19d800e389331354ec4b51672830ec315d10 |
CryptXXX v3.0 |
e5b0a5956095f438ef806d4d13eab6ce6dc5fd3566c28e50d79da49658053760 |
CryptXXX v3.0 |
e8f91ce5be4cd96f2deb2b534327b26399e63b76994b61eec31431104daa8de1 |
CryptXXX v3.0 |
ec02f6fbe9a8aeedc4ac31fe9dad44130d2c25b185b0afe74740697c1fee7579 |
CryptXXX v3.0 |
ee4f57770b7d83d440dadf8f79054cedfd2a72c081c133e3cbffed98729f860e |
CryptXXX v3.0 |
fa3fff2ebd4a7d3e94256946d8c0c29724526c0e8d027b904afb0a9827de5b6f |
CryptXXX v3.0 |
ff829b249df9ddc88eef8293cd25657017514fd7c17c9eefb1062f70bce525c4 |
IP Address
69.64.33.48 |
217.23.13.153 |
144.76.82.19 |
85.25.194.116 |
93.170.187.64 |
Would you recommend IP blocking to ward off this type of attack or do the C&C servers change so fast it isn’t worth the effort?
Unfortunately blocking the C&C server in the case of CryptXXX would not prevent encryption due to the fact that they are shipping the keys used for encryption with the binary itself, as mentioned in the post. This is not the case, however, with all variants, who typically request a public key from a C&C server. Blocking in that case would prevent encryption.
Great analysis!