2015-05-14 - ANGLER EK DELIVERS RANSOMWARE

PCAP AND MALWARE:

• ZIP file of the traffic:  2015-05-14-Angler-EK-delivers-ransomware.pcap.zip
• ZIP file of the malware:  2015-05-14-Angler-EK-and-ransomware-artifacts.zip

 

NOTES:

• More ransomware from Angler EK...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 144.76.161.38 port 80 - improvisaciondemarilhteet.eliteplusbp.com - Angler EK
• 54.93.182.214 port 80 - ipinfo.io - IP check by the malware   [not inherently malicious]
• 104.27.143.176 port 80 - 24u4jf7s4regu6hn.fenaow48fn42.com - post-infection traffic
• 104.27.142.176 port 80 - iq3ahijcfeont3xx.fenaow48fn42.com - post-infection traffic
• 104.28.25.237 port 80 - iq3ahijcfeont3xx.sm4i8smr3f43.com - post-infection traffic
• 192.251.226.206 port 443 - iq3ahijcfeont3xx.tor2web.blutmagie.de - post-infection traffic

 

ANGLER EK:

• 2015-05-14 14:28:18 UTC - improvisaciondemarilhteet.eliteplusbp.com - GET /indexing_raspberries_rejuvenation_sushis/415213137352185210
• 2015-05-14 14:28:22 UTC - improvisaciondemarilhteet.eliteplusbp.com - GET /IgewyT-H4AUwZK0MoXRsPJd4BF1n_J-v0SOdbYmqqElESEYq
• 2015-05-14 14:28:24 UTC - improvisaciondemarilhteet.eliteplusbp.com - GET /pUmOkg3ZnV4ZxHpcKTFSUCKaad5pKGJlO6FkHjJAxetpWIMU

 

POST-INFECTION TRAFFIC:

• 2015-05-14 14:28:29 UTC - ipinfo.io - GET /ip
• 2015-05-14 14:28:30 UTC - 24u4jf7s4regu6hn.fenaow48fn42.com - GET /ping.php?U3ViamVjdD1QaW5nJmtleT05Nzk[long string of characters]
• 2015-05-14 14:28:53 UTC - 24u4jf7s4regu6hn.fenaow48fn42.com - GET /ping.php?U3ViamVjdD1DcnlwdGVkJmtleT0[long string of characters]
• 2015-05-14 14:28:59 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /?enc=1Cuaq5SAPfDXeioMWPi78kuHBqTzgmaKRx
• 2015-05-14 14:29:01 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /check.php
• 2015-05-14 14:29:02 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /style.css
• 2015-05-14 14:29:02 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /style.css
• 2015-05-14 14:29:03 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /img/curr.svg
• 2015-05-14 14:29:03 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /img/decrypt.svg
• 2015-05-14 14:29:04 UTC - iq3ahijcfeont3xx.fenaow48fn42.com - GET /favicon.ico
• 2015-05-14 14:29:36 UTC - iq3ahijcfeont3xx.sm4i8smr3f43.com - GET /
• 2015-05-14 14:29:38 UTC - iq3ahijcfeont3xx.sm4i8smr3f43.com - GET /style.css
• 2015-05-14 14:29:39 UTC - iq3ahijcfeont3xx.sm4i8smr3f43.com - GET /img/base.svg
• 2015-05-14 14:29:39 UTC - iq3ahijcfeont3xx.sm4i8smr3f43.com - GET /favicon.ico
• 2015-05-14 14:29:42 UTC - iq3ahijcfeont3xx.tor2web.blutmagie.de - HTTPS traffic
• 2015-05-14 14:29:45 UTC - iq3ahijcfeont3xx.tor2web.blutmagie.de - HTTPS traffic
• 2015-05-14 14:29:46 UTC - iq3ahijcfeont3xx.tor2web.blutmagie.de - HTTPS traffic

 

PRELIMINARY MALWARE ANALYSIS

RANSOMWARE:

File name:  C:\Users\username\AppData\Local\hfxtnsu.exe
File size:  374.5 KB ( 383488 bytes )
MD5 hash:  59bb43ab2239baf5721807ec606d5397
Detection ratio:  3 / 57
First submission:  2015-05-14 15:03:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b/analysis/
Malwr link:  https://malwr.com/analysis/YmFlZjBiMmM1OTJlNDFkZGFmMjhhZDFjNmE4NjQyNDc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b?environmentId=1

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the associated malware:

• ZIP file of the traffic:  2015-05-14-Angler-EK-delivers-ransomware.pcap.zip
• ZIP file of the malware:  2015-05-14-Angler-EK-and-ransomware-artifacts.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.