2015-09-29 - ANGLER EK FROM 85.25.102[.]2 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-09-29-Angler-EK-sends-CryptoWall-3.0-ransomware-traffic.pcap.zip
• 2015-09-29-Angler-EK-and-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was:  12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk

 

• Can't share the compromised website this time; however, the injected script from the comrpomised website looks different than we've seen before (way more obfuscated).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 85.25.102[.]2 port 80 - fleyedlysheetlightning.arrisonsoccermanagement[.]com - Angler EK
• ip-addr[.]es - IP address check by CryptoWall 3.0 ransomware
• 5.196.22[.]116 port 80 - enbuscade[.]org - CryptoWall 3.0 ransomware check in
• 66.96.160[.]134 port 80 - healthyairmasters[.]com - CryptoWall 3.0 ransomware check in
• 108.167.140[.]125 port 80 - waterdamagefortlauderdale[.]info - CryptoWall 3.0 ransomware check in

 

INFECTION TRAFFIC:

• 2015-09-29 18:02:45 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - GET /civis/viewtopic.php?t=2841&f=3.59119jql3zg24i6

• 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - GET /morning.lasso?datum=emyJ&read=&water=jPdykQBqx_&finger=
  KqY_Dp5xz&image=RORd_32n&where=mlDXgledc&before=PE9Oozhn

• 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - POST /civis/boy.html?section=cThjo7YE3&soon=nXexCRfw&often=
  QWW9uFNy&Congress=4-Y8&nor=ENfc0&permit=pVq8f8fhd&afternoon=_OiWv

• 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - GET /morning.lasso?datum=emyJ&read=&water=jPdykQBqx_&finger=
  KqY_Dp5xz&image=RORd_32n&where=mlDXgledc&before=PE9Oozhn

• 2015-09-29 18:02:53 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - GET /human.jspa?necessary=&anyone=VRP-NcO&announce=&husband=
  EGMGDNYOj&interact=&state=x5AC&ride=&force=W64HO1&never=7V68xida&director=TpPce4U&way=B_kB539

• 2015-09-29 18:02:57 UTC - fleyedlysheetlightning.arrisonsoccermanagement[.]com - GET /division.asp?or=&because=epk¢er=&late=pWQ8_ixS86&
  within=l_Xj&mean=RDPKqwa&sit=41x4RNjsUAk5CepXvyyOVLLT

 

POST-INFECTION TRAFFIC:

• 2015-09-29 18:02:58 UTC - ip-addr[.]es - GET /
• 2015-09-29 18:02:59 UTC - enbuscade[.]org - POST /documentos/2014/05/3.php?n=6q3ic0r9dhbc7p
• 2015-09-29 18:03:00 UTC - healthyairmasters[.]com - POST /Demo_Preliminar_helths/wc-logs/3.php?h=6q3ic0r9dhbc7p
• 2015-09-29 18:03:02 UTC - waterdamagefortlauderdale[.]info - POST /wp-content/cache/1.php?v=6q3ic0r9dhbc7p
• 2015-09-29 18:03:05 UTC - enbuscade[.]org - POST /documentos/2014/05/3.php?u=w1dwewim23umbv
• 2015-09-29 18:03:07 UTC - healthyairmasters[.]com - POST /Demo_Preliminar_helths/wc-logs/3.php?h=w1dwewim23umbv
• 2015-09-29 18:03:08 UTC - waterdamagefortlauderdale[.]info - POST /wp-content/cache/1.php?d=w1dwewim23umbv
• 2015-09-29 18:03:11 UTC - enbuscade[.]org - POST /documentos/2014/05/3.php?b=pj85z9h54ak0y5g
• 2015-09-29 18:03:12 UTC - healthyairmasters[.]com - POST /Demo_Preliminar_helths/wc-logs/3.php?z=pj85z9h54ak0y5g
• 2015-09-29 18:03:13 UTC - waterdamagefortlauderdale[.]info - POST /wp-content/cache/1.php?s=pj85z9h54ak0y5g
• 2015-09-29 18:03:21 UTC - enbuscade[.]org - POST /documentos/2014/05/3.php?h=5zn31596n476wy0
• 2015-09-29 18:03:23 UTC - healthyairmasters[.]com - POST /Demo_Preliminar_helths/wc-logs/3.php?c=5zn31596n476wy0
• 2015-09-29 18:03:23 UTC - waterdamagefortlauderdale[.]info - POST /wp-content/cache/1.php?o=5zn31596n476wy0

 

Click here to return to the main page.