Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Traffic Patterns For CryptoWall 3.0

Published: 2015-01-19
Last Updated: 2015-01-19 16:39:16 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

This is a guest diary submitted by Brad Duncan.

Various sources have reported version 3 of CryptoWall has appeared [1] [2] [3].  This malware is currently seen from exploit kits and phishing emails.  CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them.

I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit.

If you're registered with, you can get a copy of this CryptoWall 3.0 sample at:

Let's look at the traffic from my infected VM:

In this example, the infected VM checked to determine its public IP address.  Then the VM communicated with a server at over a non-standard HTTP port.  In this case it was port 2525, but I saw different ports in other hosts I've infected with this sample.

Finally, the user viewed a web page for the decrypt instructions at

When monitoring the infection traffic with Security Onion [5], we see an EmergingThreats alert for CryptoWall check-in [4].

The decryption instructions specify the following bitcoin account for a ransom payment:  1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy

Here's what the user would see on their desktop screen:


Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at




5 comment(s)
Diary Archives