2015-05-07 - ANGLER EK FROM 94.242.255.60 DELIVERS ALPHA CRYPT RANSOMWARE

PCAP AND MALWARE:

• PCAP of the traffic:  2015-05-07-Angler-EK-and-Alpha-Crypt-traffic.pcap.zip
• ZIP file of the malware:  2015-05-07-Angler-EK-and-Alpha-Crypt-artifacts.zip

 

NOTES:

• The latest case of Angler EK delivering Alpha Crypt ransomware.
• Alpha Crypt is a Teslacrypt clone, which already was a CryptoLocker clone.
• I previously posted a blog about this on 2015-04-30 and yesterday 2015-05-06.
• Today's sample has the same post-infection domains as yesterday, but a different bitcoin address for the ransom payment.
• Bitcoin address for this sample's ransom payment is: 18J4NwHDFdeJVc94cpc9FTeLZQnx7iu2YP

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 94.242.255.60 port 80 - destinazione.grippertires.net - Angler EK
• 54.93.61.143 port 80 - ipinfo.io - IP address check by the malware   [not inherently malicious]
• 104.28.15.226 port 80 - dpckd2ftmf7lelsa.afnwdsy4j32.com - Alpha Crypt traffic
• 104.28.14.226 port 80 - is6xsotjdy4qtgur.afnwdsy4j32.com - Alpha Crypt traffic

• 104.18.47.12 - is6xsotjdy4qtgur.9isernvur33.com - another domain from the Alpha Crypt instructions
• 192.251.226.206 - is6xsotjdy4qtgur.tor2web.blutmagie.de - another domain from the Alpha Crypt instructions

 

ANGLER EK:

• 2015-05-07 17:12:56 UTC - destinazione.grippertires.net - GET /scenically-septic-caricatured-ejects/147586249566271245
• 2015-05-07 17:12:58 UTC - destinazione.grippertires.net - GET /vw7-1xTy9o8XTXeans-WH-TPFNWLnQL4D73by26k99EB-Zo3
• 2015-05-07 17:13:01 UTC - destinazione.grippertires.net - GET /X-f--R3Zyg_ltm8haiRSbyoS8M7fTef6eZQjdcxMqAnjml_0

 

POST-INFECTION TRAFFIC:

• 2015-05-07 17:13:05 UTC - ipinfo.io - GET /ip
• 2015-05-07 17:13:06 UTC - dpckd2ftmf7lelsa.afnwdsy4j32.com - GET /tsdfewr2.php?U3ViamVjdD1QaW5[long string of characters]
• 2015-05-07 17:13:31 UTC - dpckd2ftmf7lelsa.afnwdsy4j32.com - GET /tsdfewr2.php?U3ViamVjdD1Dcnl[long string of characters]
• 2015-05-07 17:13:44 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /?enc=18J4NwHDFdeJVc94cpc9FTeLZQnx7iu2YP
• 2015-05-07 17:13:45 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /check.php
• 2015-05-07 17:13:46 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /style.css
• 2015-05-07 17:13:46 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /favicon.ico
• 2015-05-07 17:13:46 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /img/curr.svg
• 2015-05-07 17:13:47 UTC - is6xsotjdy4qtgur.afnwdsy4j32.com - GET /img/decrypt.svg

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  2015-05-07-Alpha-Crypt-sample.exe
File size:  269.0 KB ( 275456 bytes )
MD5 hash:  a08784f5691a0a8ce6249e1981dea82c
Detection ratio:  8 / 57
First submission:  2015-05-07 11:27:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29/analysis/

 

FINAL NOTES

Once again, here are the associated files:

• PCAP of the traffic:  2015-05-07-Angler-EK-and-Alpha-Crypt-traffic.pcap.zip
• ZIP file of the malware:  2015-05-07-Angler-EK-and-Alpha-Crypt-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.