Hello,
I have a task to find how a cryptowall managed to get to computer, the current system is Windows XP with Service Pack 3. With log2timeline I find that file what couses encryption was created in 09/03/2015 in location "C/Documents and Settings/Administratore/Application Data/vcwhds.exe" and from then all documents was encrypted. Firstly I was thinking what it come from mail, so Outlook Express was checked, but no messages with attachments what can couse it was founded.
Well now my question is how to find out, from where did it come? Maybe some suggestions how to find it out?
Thanks for any response.
P. S. Sorry for my poor English.
Got web access logs or pcaps? Look there.
No pcaps. But looking in all internet history no websites what can couse it, just every day working sites. Some how at start I was thinking what it came from mail message which was deleted from inbox and deleted catalog, but well other messages are left in deleted catalog so chances are quite lower, because that user is not very talanted at doing such things.
"C/Documents and Settings/Administratore/Application Data/vcwhds.exe"
Have you looked at the timeline for other file activity immediately before that file was created?
My understanding of Cryptowall is that it's a Trojan and they generally need some sort of human interaction to activate, ie opening an infected attachment or file, clicking on a link etc.
This may give you a hint as to what the user was actively doing whether it was email or possibly downloading something from the internet, or even a USB device.
But looking in all internet history no websites what can couse it, just every day working sites.
I might start looking at an SWC…strategic web compromise. A legit site is compromised and the code to redirect to an exploit kit is included in pages that are visited.
Some how at start I was thinking what it came from mail message which was deleted from inbox and deleted catalog, but well other messages are left in deleted catalog so chances are quite lower, because that user is not very talanted at doing such things.
I'd go back to the timeline, and start by looking at what was included in the timeline. Then, per the previous suggestion, look for files created around the same time or shortly before, particularly any in the "Temporary Internet Files" path.
You mentioned in your first email that Outlook Express was checked…is that the email app used? Did you also look for indications of access to Yahoo! or GMail?
A quick Google search indicates that like most of this stuff, multiple delivery methods can be used. In addition to checking which email app the user actually used, I'd look to see which browser they used, as well.
If not done, it could be worth analyzing $LogFile to see what transactions that occurred on the filesystem at the time of infection. There may or may not be any..
Only relevant if filesystem is NTFS though.