2015-07-13 - ANGLER EK FROM 136.243.96.94 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP archive of pcaps for the network traffic:  2015-07-13-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-13-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 136.243.96.94 port 80 - dnabtaew.diamondcutgraniteco.com - Angler EK (example 1 of 3) on 2015-07-13 at 13:16 UTC
• 136.243.96.94 port 80 - encogidamente.dopaving.com - Angler EK (example 2 of 3) on 2015-07-13 at 13:55 UTC
• 136.243.96.94 port 80 - mikikatu.moneyfarming.com - Angler EK (example 3 of 3) on 2015-07-13 at 14:08 UTC
• 27.121.64.88 port 80 - biologicalhealthservices.com.au - CryptoWall 3.0 callback (example 1 of 3)
• 50.62.73.75 port 80 - be-practical.com - CryptoWall 3.0 callback (example 1 of 3)
• 111.223.233.21 port 80 - jotm.com.au - CryptoWall 3.0 callback (example 1 of 3)
• 184.168.241.143 port 80 - buycarbontubes.com - CryptoWall 3.0 callback (example 2 of 3)
• 192.186.228.40 port 80 - beerbirds.com - CryptoWall 3.0 callback (example 3 of 3)
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.mywa2pay.com - Veiwing the decrypt instructions (only did it in example 1 of 3)
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.micropaysearch.com - Veiwing the decrypt instructions (only did it in example 1 of 3)
• 6i3cb6owitcouepv.light2mind.com - Another domain for the decrypt instructions (didn't resolve in DNS)
• 6i3cb6owitcouepv.rightslavebb.com - Another domain for the decrypt instructions (didn't resolve in DNS)

 

TRAFFIC FROM FIRST EXAMPLE (PCAP 1 OF 3):

• 2015-07-13 13:16:00 UTC - dnabtaew.diamondcutgraniteco.com - GET /polo/viewtopic.php?f=1&t=383696108

• 2015-07-13 13:16:03 UTC - dnabtaew.diamondcutgraniteco.com - GET /ago.a5w?citizen=Y3O8lcAxD&addition=&attitude=wT0Zf&work=rC6&
  language=qQKqteesm4kMRJu0Xt5V2xBdmDHHkuh

• 2015-07-13 13:16:07 UTC - dnabtaew.diamondcutgraniteco.com - GET /patient.srf?during=-9Q&available=&example=B4BIxYl0&population=eyIKq5At&
  without=&however=jhlqGfU&none=&quite=b2KjNvESyY&in=HLnm885Hx&name=NUR

• 2015-07-13 13:16:08 UTC - dnabtaew.diamondcutgraniteco.com - GET /polo/pay.wrf?stock=1Gk&spring=C8XcG1&build=ewgtlbM9z&family=&
  themselves=H7Pd&one=iKe&mark=G0a&without=0_4Ln6sLae0m7Fw9LpgO

• 2015-07-13 13:16:11 UTC - ip-addr.es - GET /
• 2015-07-13 13:16:11 UTC - jotm.com.au - POST /wp-content/plugins/bb.php?o=e56b7c53agsi3
• 2015-07-13 13:16:12 UTC - biologicalhealthservices.com.au - POST /wp-content/wp-content/plugins/aa.php?s=e56b7c53agsi3
• 2015-07-13 13:16:12 UTC - be-practical.com - POST /wp-content/plugins/dd.php?d=e56b7c53agsi3
• 2015-07-13 13:16:15 UTC - jotm.com.au - POST /wp-content/plugins/bb.php?y=jmd14o2pfq
• 2015-07-13 13:16:16 UTC - biologicalhealthservices.com.au - POST /wp-content/wp-content/plugins/aa.php?s=jmd14o2pfq
• 2015-07-13 13:16:46 UTC - be-practical.com - POST /wp-content/plugins/dd.php?k=jmd14o2pfq
• 2015-07-13 13:16:50 UTC - jotm.com.au - POST /wp-content/plugins/bb.php?r=jdj9n3dvb14l0
• 2015-07-13 13:16:51 UTC - biologicalhealthservices.com.au - POST /wp-content/wp-content/plugins/aa.php?j=jdj9n3dvb14l0
• 2015-07-13 13:16:51 UTC - be-practical.com - POST /wp-content/plugins/dd.php?c=jdj9n3dvb14l0
• 2015-07-13 13:17:17 UTC - jotm.com.au - POST /wp-content/plugins/bb.php?u=9eehr5atew
• 2015-07-13 13:17:18 UTC - biologicalhealthservices.com.au - POST /wp-content/wp-content/plugins/aa.php?q=9eehr5atew
• 2015-07-13 13:17:18 UTC - be-practical.com - POST /wp-content/plugins/dd.php?t=9eehr5atew
• 2015-07-13 13:19:47 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /------- [string of characters removed from the pcap]
• 2015-07-13 13:19:50 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/style.css
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/us.png
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/fr.png
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /picture.php?k=1nswsiv&b611188b5c7ca9b56a4aef00b343336d
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/es.png
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rt.png
• 2015-07-13 13:19:52 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rb.png
• 2015-07-13 13:19:54 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/it.png
• 2015-07-13 13:19:54 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/de.png
• 2015-07-13 13:19:54 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lt.png
• 2015-07-13 13:19:54 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lb.png
• 2015-07-13 13:19:57 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /favicon.ico
• 2015-07-13 13:20:01 UTC - 6i3cb6owitcouepv.mywa2pay.com - POST /------- [string of characters removed from the pcap]
• 2015-07-13 13:20:06 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/bitcoin.png
• 2015-07-13 13:20:06 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/button_pay.png
• 2015-07-13 13:20:15 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /------- [string of characters removed from the pcap]
• 2015-07-13 13:20:18 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/style.css
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/it.png
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rb.png
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /picture.php?k=1nswsiv&a7c51c687d23a1207efac3efd3639d1a
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/us.png
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/es.png
• 2015-07-13 13:20:20 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rt.png
• 2015-07-13 13:20:22 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/fr.png
• 2015-07-13 13:20:22 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/de.png
• 2015-07-13 13:20:22 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lt.png
• 2015-07-13 13:20:22 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lb.png
• 2015-07-13 13:20:25 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /favicon.ico
• 2015-07-13 13:20:29 UTC - 6i3cb6owitcouepv.micropaysearch.com - POST /------- [string of characters removed from the pcap]
• 2015-07-13 13:20:32 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/bitcoin.png
• 2015-07-13 13:20:32 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay.png

 

TRAFFIC FROM SECOND EXAMPLE (PCAP 2 OF 3):

• 2015-07-13 13:55:25 UTC - encogidamente.dopaving.com - GET /sexiness/viewtopic.php?f=66&t=18622423

• 2015-07-13 13:55:27 UTC - encogidamente.dopaving.com - GET /great.js?how=QS2y&place=ZZsDX-&talk=&among=6qDiV8&group=qLmXNAYl4&
  drive=&war=VbBICq2mH&issue=_75&story=&however=0iB_N&can=&because=wLFsSm

• 2015-07-13 13:55:39 UTC - encogidamente.dopaving.com - GET /suffer.jst?grow=&woman=qkRpc&final=BAUwcuIdDN&available=uoooK&dog=&
  number=s8L18iK_&probably=9dX4Cj&similar=7Hm&sit=j2gCV4&know=&population=fcYQC

• 2015-07-13 13:55:40 UTC - encogidamente.dopaving.com - GET /sexiness/while.lasso?suddenly=&approach=k5M&individual=&night=SgI&French=&
  idea=pHSergG&dog=44KzmO&loss=xJu&town=soh6KqYJAsUz35W8AtD2NxkIuy

• 2015-07-13 13:55:43 UTC - encogidamente.dopaving.com - GET /compare.json?truth=yDQk8c&point=&trip=hNEyGH2Lf&father=A3lz&
  member=I7XEfFMoxE&higher=WVJqO7vCzfqoltHDVgH

• 2015-07-13 13:55:43 UTC - ip-addr.es - GET /
• 2015-07-13 13:55:43 UTC - buycarbontubes.com - POST /wp-content/plugins/ee.php?i=j2d8l57wy96pl3
• 2015-07-13 13:55:46 UTC - buycarbontubes.com - POST /wp-content/plugins/ee.php?q=u0ngf96c6u79n
• 2015-07-13 13:55:48 UTC - buycarbontubes.com - POST /wp-content/plugins/ee.php?p=5f9z22t7269vi
• 2015-07-13 13:55:56 UTC - buycarbontubes.com - POST /wp-content/plugins/ee.php?f=kiq0j0vv98i11

 

TRAFFIC FROM THIRD EXAMPLE (PCAP 3 OF 3):

• 2015-07-13 14:08:45 UTC - mikikatu.moneyfarming.com - GET /antigen/viewtopic.php?f=8&t=124033073

• 2015-07-13 14:08:48 UTC - mikikatu.moneyfarming.com - GET /hope.asr?why=evqDQec5&concern=LDg&hot=0mqX&young=v7Sn&
  question=YZzJQgws&visit=jg5&captain=BJ5Pxwv&walk=pcWjMqDRG&theory=iL

• 2015-07-13 14:08:51 UTC - mikikatu.moneyfarming.com - GET /strike.docmhtml?improve=ZeqJUaEDg&will=U8e-wdfxU&what=dx3p&
  about=UvG-N4B&leach=SknRrz®ion=y5CFg&five=umP8mK53

• 2015-07-13 14:08:54 UTC - mikikatu.moneyfarming.com - GET /antigen/view.xpd?record=tlvIJ12&several=&offer=HEqqYKM4F&future=&it=WMm&
  condition=UzrXzn&various=J3n2iQMBP&less=T2TYCehQ6DbiA_

• 2015-07-13 14:08:57 UTC - ip-addr.es - GET /
• 2015-07-13 14:08:59 UTC - beerbirds.com - POST /wp-content/plugins/bb.php?d=cqm2ver2afcj1fu
• 2015-07-13 14:09:02 UTC - beerbirds.com - POST /wp-content/plugins/bb.php?p=ow5933ncpn7f72
• 2015-07-13 14:09:05 UTC - beerbirds.com - POST /wp-content/plugins/bb.php?y=j92ofj1o4gzt
• 2015-07-13 14:09:42 UTC - beerbirds.com - POST /wp-content/plugins/bb.php?q=o51xa4d4968r

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of pcaps for the network traffic:  2015-07-13-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-13-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.