Tuesday, March 10, 2015

Getting CryptoWall and CryptoDefense working without C&C

It's common to find malware samples that need the C&C to work. This is the case of Cryptowall and CryptoDefense ransomwares. If you need to debug samples of these families you will usually find the C&C down and the ransom won't work and won't encrypt files. It only will try to connect to C&C continuously.

In this article i'm going to describe a way to create a fake C&C for CryptoWall and CryptoDefense families, and how to get samples of these families working into a vmware for example.

In the first place, we need to redirect any connection performed by the ransomware to our server. Depending on the sample they connect to different domains, so we need to redirect any connection to our fake server.

We will use metasploit's fakedns module for this purpose:

msf > use auxiliary/server/fakedns
msf auxiliary(fakedns) > set TARGETACTION FAKE
msf auxiliary(fakedns) > set TARGETDOMAIN *
msf auxiliary(fakedns) > set TARGETHOST

With these commands we create a dns server that redirect any query to On this ip address will be running an apache server.

In the second place we need to redirect any query to our http server (any URI) to the same document. We can do this by adding these lines to httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/index.php
RewriteRule . /index.php

Now we can implement the php to give to the ransomware the responses that they need to work.


CryptoWall uses a query-response communication mechanism to communicate with the C&C. Communications are encrypted with rc4. Cryptowall client connects to C&C http server. The URI is the rc4 key in random order (it's neccesary to order it in growing order). The client sent via POST the query's data. So, to decrypt it, it's necesary to take the rc4 key of the URI, order it, and decrypt the POST content.

Example query:

8    0.218529    HTTP    156    POST /w72sh29mlo HTTP/1.1  (application/x-www-form-urlencoded)
Here we can see a complete communcation extracted from a pcap file:

The string before comma is the rc4 key. The string after comma is the POST data.

We can decrypt it with the script in the section Code 1 at the end of this article.

The decrypted queries/responses:

response:{250|kpai7ycr7jxqkilp.onion|75a5|ES|-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----}

We only need to imitate the communication with our php to get cryptowall working.
You can find a functional php file in the section Code 2 at the end of this article.


CryptoDefense communications are very similar to CryptoWall. It uses the same mechanism of query/response encrypted with rc4. We can use the same python script to decrypt communications. Here is a sample decrypted communication:


With CryptoDefense we only need to response with a "OK" response to the client and it starts to encrypt.
The php file in the section Code 2 at the end of this article works for CryptoWall and CryptoDefense.

Code 1. Python script to decrypt Crytpowall communications

Code 2. Php fake Cryptowall/CryptoDefense server

No comments:

Post a Comment