2015-07-03 - ANGLER EK SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the traffic:  2015-07-03-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-07-03-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample is: 1KEwC5NQM8ZQpnJghMknbySurXfJZfZhZx

 

TRAFFIC

ASSOCIATED DOMAINS:

• 216.144.244.147 port 80 - hallitsemallatake0.southchandlerhomesforsale.com - Angler EK
• ip-addr.es - location/IP check by the malware
• 31.169.73.74 port 80 - dugunburada.com - CryptoWall 3.0 check-in
• 81.169.145.164 port 80 - egobook.de - CryptoWall 3.0 check-in
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.paybalanceto.com - Infected host accessing decrypt instructions
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.paybrakepoint.com - Infected host accessing decrypt instructions

 

IMAGES

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-07-03-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-07-03-Angler-EK-and-CryptoWall-3.0-artifacts.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.