2015-07-05 - ANGLER EK FROM 5.196.183.76 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP archive of the traffic:  2015-07-05-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-07-05-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample is: 1KEwC5NQM8ZQpnJghMknbySurXfJZfZhZx

 

TRAFFIC

ASSOCIATED DOMAINS:

• 5.196.183.76 port 80 - kansansadun-heksagon.bizstarnet.com - Angler EK
• ip-addr.es - location/IP check by the malware
• 111.65.226.106 port 80 - ktetley-jones.co.nz - CryptoWall 3.0 check-in
• 95.163.121.228 port 80 - k6i3cb6owitcouepv.paybalanceto.com - Infected host accessing decrypt instructions
• 95.163.121.228 port 80 - k6i3cb6owitcouepv.paybrakepoint.com - Infected host accessing decrypt instructions

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the traffic:  2015-07-05-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:  2015-07-05-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.