2015-05-06 - ANGLER EK FROM 94.242.255[.]59 DELIVERS ALPHA CRYPT RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-05-06-Angler-EK-traffic-2-pcaps.zip
• 2015-05-06-Angler-EK-and-Alpha-Crypt-ransomware-files.zip

 

NOTES:

• Another case of Angler EK delivering Alpha Crypt ransomware.
• Alpha Crypt is a Teslacrypt clone, which already was a CryptoLocker clone.
• I previously posted a blog about this on 2015-04-30 (link).
• Bitcoin address for ransomware payment is: 115csX8NGnVrKwYdpYcxdzW7WwhU8sQchZ

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 94.242.255[.]59 port 80 - modifier.duiscootersusa[.]com - Angler EK
• 54.93.182[.]214 port 80 - ipinfo[.]io - IP address check by the malware (not inherently malicious)
• 104.28.15[.]226 port 80 - dpckd2ftmf7lelsa.afnwdsy4j32[.]com - Alpha Crypt malware callback traffic
• 104.28.14[.]226 port 80 - is6xsotjdy4qtgur.afnwdsy4j32[.]com - Alpha Crypt malware callback traffic

• 104.18.47[.]12 - is6xsotjdy4qtgur.9isernvur33[.]com - another domain from the Alpha Crypt instructions
• 192.251.226[.]206 - is6xsotjdy4qtgur.tor2web.blutmagie[.]de - another domain from the Alpha Crypt instructions

 

ANGLER EK:

• 2015-05-06 16:51:41 UTC - modifier.duiscootersusa[.]com - GET /triglyceride-stochastic-palpably-plutonium/814027119156872631
• 2015-05-06 16:51:43 UTC - modifier.duiscootersusa[.]com - GET /zl-W9CD5GjFeSgiJ9w9o8z68Le08l8jIwMZnybGfDpsNGjs1
• 2015-05-06 16:51:46 UTC - modifier.duiscootersusa[.]com - GET /yLHepEE5Z2ytr2jnlSbTFwFrRBqX-9cezSRKz2Dbkf7N8g4z

 

POST-INFECTION TRAFFIC:

• 2015-05-06 16:51:47 UTC - ipinfo[.]io GET /ip
• 2015-05-06 16:51:48 UTC - dpckd2ftmf7lelsa.afnwdsy4j32[.]com - GET /tsdfewr2.php?U3ViamVjdD1Qa[long string of characters]
• 2015-05-06 16:52:09 UTC - dpckd2ftmf7lelsa.afnwdsy4j32[.]com - GET /tsdfewr2.php?U3ViamVjdD1Dc[long string of characters]
• 2015-05-06 16:52:18 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /?enc=115csX8NGnVrKwYdpYcxdzW7WwhU8sQchZ
• 2015-05-06 16:52:20 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /check.php
• 2015-05-06 16:52:22 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /style.css
• 2015-05-06 16:52:22 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /img/curr.svg
• 2015-05-06 16:52:22 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /img/decrypt.svg
• 2015-05-06 16:52:22 UTC - is6xsotjdy4qtgur.afnwdsy4j32[.]com - GET /favicon.ico

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  2015-05-06-Alpha-Crypt-sample.exe
File size:  416,256 bytes
MD5 hash:  394797f407e89b58e0287097ad6e3cdc
Detection ratio:  8 / 57
First submission to VirusTotal:  2015-05-06 14:48:32 UTC

 

Click here to return to the main page.