2015-06-16 - ANGLER EK FROM 46.4.235.1 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the traffic:  2015-06-16-Angler-EK-and-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-06-16-Angler-EK-and-CryptoWall-3.0-artifacts.zip

NOTES:

• More CryptoWall 3.0 sent from Angler exploit kit (EK) using one of the same bitcoin addresses for ransom payment that we've seen before.
• Bitcoin address for ransom payment was: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB
• It seems Angler EK has been tweaking its URL patterns quite frequently--on a near daily basis--probably to avoid detection by intrusion detection systems (IDS).
• Current URL patterns for Angler don't match ones that we saw a week or two ago.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.4.235.1 port 80 - ffiledirausgewertetem.dansfemdomlinks.com - Angler EK
• 50.63.102.1 port 80 - afriqinter.com - CryptoWall 3.0 checkin
• 95.163.121.36 port 80 - 7oqnsnzwwnm6zb7y.paypartyoptions.com - Retrieving CryptoWall 3.0 decrypt instructions
• 7oqnsnzwwnm6zb7y.paytwinkgirls.com - Another domain from the decrypt instructions
• 7oqnsnzwwnm6zb7y.paybullionbb.com - Another domain from the decrypt instructions
• 7oqnsnzwwnm6zb7y.paybonymans.com - Another domain from the decrypt instructions

 

ANGLER EK:

• 2015-06-16 21:11:40 UTC - ffiledirausgewertetem.dansfemdomlinks.com - GET /search?og3=uq1ig-ub&qsea=tw0pe&y2p=ywmtm-boz&ik=3l1356-yeu&
  fxz=wy6-cjp8uh&9vj15=qe&id=_wg16u

• 2015-06-16 21:11:42 UTC - ffiledirausgewertetem.dansfemdomlinks.com - GET /interact.an?move=&purpose=fQ7ng50ZT&street=_Dngfw&gas=6Mx\254=nV1l&
  relationship=4SHM-X9&already=SAM&social=&keep=k_x&since=8lpQQqHr&hand=d1Ebu

• 2015-06-16 21:11:45 UTC - ffiledirausgewertetem.dansfemdomlinks.com - GET /learn.jsf?air=fWpsVmK&turn=I-Cj&method=3_Tfw&social=-hv-cWDV&
  research=1lOvWfYnp&design=bw9GxdXDS&strength=11zyFX

 

POST-INFECTION TRAFFIC (CRYPTOWALL 3.0):

• 2015-06-16 21:11:57 UTC - ip-addr.es - GET /
• 2015-06-16 21:11:58 UTC - afriqinter.com - POST /wp-content/plugins/g4.php?t=ufz7yu4p4236e
• 2015-06-16 21:12:00 UTC - afriqinter.com - POST /wp-content/plugins/g4.php?v=6h2lhzabyq
• 2015-06-16 21:12:02 UTC - afriqinter.com - POST /wp-content/plugins/g4.php?d=c774h55w9in4
• 2015-06-16 21:12:29 UTC - afriqinter.com - POST /wp-content/plugins/g4.php?k=fr4ukwvjppwo
• 2015-06-16 21:13:04 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /1kwN8ko
• 2015-06-16 21:13:07 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/style.css
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/flags/us.png
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /picture.php?k=1kwn8ko&47621fb89281480886ccb74d9ad1a6fb
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/flags/fr.png
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/flags/es.png
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/rt.png
• 2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/rb.png
• 2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/flags/it.png
• 2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/flags/de.png
• 2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/lt.png
• 2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/lb.png
• 2015-06-16 21:13:12 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /favicon.ico
• 2015-06-16 21:13:15 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - POST /1kwN8ko
• 2015-06-16 21:13:17 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/style.css
• 2015-06-16 21:13:19 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/bitcoin.png
• 2015-06-16 21:13:19 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-06-16-Angler-EK-and-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-06-16-Angler-EK-and-CryptoWall-3.0-artifacts.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.