2015-07-10 - ANGLER EK FROM 176.9.245.142 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the traffic:  2015-07-10-Angler-EK-sends-CrytoWall-3.0-traffic.pcap.zip
• ZIP of the malware:  2015-07-10-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same as the past two days).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 176.9.245.142 port 80 - commotusque.lennydepaul.com - Angler EK
• 185.28.23.14 port 80 - bigappledreaming.com - CryptoWall 3.0 check-in
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.mywa2pay.com - Viewing one of the decrypt instructions pages
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.micropaysearch.com - Viewing another of the decrypt instructions pages
• 6i3cb6owitcouepv.light2mind.com - DNS query for one of the decrypt pages that didn't resolve
• 6i3cb6owitcouepv.rightslavebb.com - DNS query for one of the decrypt pages that didn't resolve

 

ANGLER EK:

• 2015-07-10 22:17:40 UTC - commotusque.lennydepaul.com - GET /intriguing/viewtopic.php?f=48&t=70417552

• 2015-07-10 22:17:42 UTC - commotusque.lennydepaul.com - GET /hope.wrf?money=&six=07ev5N1BEu&horse=&first=wdcU8dbG&because=Kn-MoLz&
  love=ARnaB0rRdX&army=g_caz_SQ_&try=&particular=oC4=

• 2015-07-10 22:17:48 UTC - commotusque.lennydepaul.com - GET /intriguing/hope.sht?then=&cut=L0U&that=OZJSFfF7&remove=XMy-1&realize=v0n&
  serious=ko8hxs8w0_bnkjAWA_VDarQ5BNsXF

• 2015-07-10 22:17:50 UTC - commotusque.lennydepaul.com - GET /wife.shtml?better=ilsGdwB9-r&since=&lead=4K_-2V&fine=&story=fBwieu30zAwE44w03-
  ZnxQpv_QpCtFct

 

CRYPTOWALL 3.0 POST-INFECTION TRAFFIC:

• 2015-07-10 22:17:53 UTC - ip-addr.es - GET /
• 2015-07-10 22:17:56 UTC - bigappledreaming.com - POST /wp-content/themes/aa.php?z=dha0a96vu9
• 2015-07-10 22:17:59 UTC - bigappledreaming.com - POST /wp-content/themes/aa.php?r=34q25ye568ccpv
• 2015-07-10 22:18:02 UTC - bigappledreaming.com - POST /wp-content/themes/aa.php?l=fbh4p0k0ze570
• 2015-07-10 22:18:12 UTC - bigappledreaming.com - POST /wp-content/themes/aa.php?l=xwt1b9x1i8
• 2015-07-10 22:18:26 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /1Nswsiv
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/style.css
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/us.png
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/it.png
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/fr.png
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/es.png
• 2015-07-10 22:18:30 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/de.png
• 2015-07-10 22:18:31 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /picture.php?k=1nswsiv&778a4086808184848d9b257f8c45fce4
• 2015-07-10 22:18:32 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lt.png
• 2015-07-10 22:18:33 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rt.png
• 2015-07-10 22:18:33 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lb.png
• 2015-07-10 22:18:33 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rb.png
• 2015-07-10 22:18:37 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /favicon.ico
• 2015-07-10 22:18:40 UTC - 6i3cb6owitcouepv.mywa2pay.com - POST /1Nswsiv
• 2015-07-10 22:18:42 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/bitcoin.png
• 2015-07-10 22:18:42 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/button_pay.png
• 2015-07-10 22:18:52 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /1Nswsiv
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/style.css
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/us.png
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/es.png
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/it.png
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/fr.png
• 2015-07-10 22:18:54 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/de.png
• 2015-07-10 22:18:55 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /picture.php?k=1nswsiv&314834718128a4884b0120f2e75e3b19
• 2015-07-10 22:18:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lt.png
• 2015-07-10 22:18:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rt.png
• 2015-07-10 22:18:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lb.png
• 2015-07-10 22:18:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rb.png
• 2015-07-10 22:18:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /favicon.ico
• 2015-07-10 22:19:03 UTC - 6i3cb6owitcouepv.micropaysearch.com - POST /1Nswsiv
• 2015-07-10 22:19:05 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/bitcoin.png
• 2015-07-10 22:19:05 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic - first example:  2015-07-10-Angler-EK-sends-CrytoWall-3.0-traffic.pcap.zip
• ZIP of the malware:  2015-07-10-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.