2016-02-03 - EITEST ANGLER EK SENDS HYDRACRYPT RANSOMWARE

PCAP AND MALWARE:

 

NOTES:

 


Shown above:  A Windows desktop after getting infected with HydraCrypt.

 


Shown above:  The image/window that appeared on the Windows desktop after the infection.

 


Shown above:  The instructions in a text file left on the infected Windows host.

 

TRAFFIC

ASSOCIATED DOMAINS:

 


Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

COMPROMISED WEBSITE AND EITEST GATE:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

SNORT/SURICATA EVENTS

Significant signature hits from Suricata using the Emerging Threats Pro ruleset on Security Onion:

Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.8.0 on Debian 7:

 

PRELIMINARY MALWARE ANAYSIS

ANGLER EK MALWARE PAYLOAD (HYDRACRYPT):

File name:  2016-02-03-EITest-Angler-EK-payload-HydraCrypt.exe
File size:  164.0 KB ( 167,936 bytes )
MD5 hash:  08b304d01220f9de63244b4666621bba
SHA1 hash:  b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256 hash:  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Detection ratio:  1 / 53 (at the time of submission)
First submission:  2016-02-03 21:24:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e/analysis/
Malwr link:  https://malwr.com/analysis/MTNjMjFkOTgzZjYwNDM0YTgyY2UyNmE5MGNhMTA5YmU/


Shown above:  Encrypted files were renamed, ending with .hydracrypt_ID_[8 character string].

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.