2016-01-17 - ANGLER EK FROM 31.148.99.125 SENDS CRYPTOWALL

PCAP AND MALWARE:

 


Shown above:  Windows desktop after this CryptoWall infection.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

ADDITIONAL CRYPTOWALL DOMAINS FROM MALWR.COM ANALYSIS:

DOMAINS FROM THIS CRYPTOWALL SAMPLE'S DECRYPT INSTRUCTIONS:

 

COMPROMISED WEBSITE:


Shown above:  Injected script in page from compromised website.

 

 

Angler EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

 

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.8.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2016-01-17-Angler-EK-flash-exploit.swf
File size:  127.0 KB ( 130068 bytes )
MD5 hash:  946d794afc8cb0e8d597180bcf3ae720
SHA1 hash:  2cf84c3ddd400d4acb54214269addb0c8ac58b2c
SHA256 hash:  35a24b00f94125a25279791159059a9bc768e9b4bdea8b71960f82dc117e4aea
Detection ratio:  2 / 54
First submission:  2016-01-18 16:23:19 UTC
VirusTotal link:  click here

 

MALWARE PAYLOAD:

File name:  2016-01-17-Angler-EK-payload-CryptoWall.exe
File size:  460.5 KB ( 471552 bytes )
MD5 hash:  58006b9382d532f82535454e78c8ad7c
SHA1 hash:  c399026473b23a211208a13224029f710458255e
SHA256 hash:  99990573b7c92062663438575d431c5823252a1c523ba9977c2a236ad2484a1e
Detection ratio:  10 / 53
First submission:  2016-01-18 03:19:24 UTC
VirusTotal link:  click here
Malwr link:  click here   [ pcap here ]
Hybrid-Analysis link:  click here

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.