2015-07-15 - ANGLER EK FROM 185.48.58.51 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP(s):  2015-07-15-Angler-EK-sends-CryptoWall-3.0.pcap.zip
• ZIP of the malware:  2015-07-15-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

 

TRAFFIC

ASSOCIATED DOMAINS:

• 185.48.58.51 port 80 - semais.militarypopupweddings.com - Angler EK
• 178.19.108.142 port 80 - spaparty.pl - CryptoWall 3.0 post-infection callback
• 174.136.28.75 port 80 - paternidadresponsable.com.mx - CryptoWall 3.0 post-infection callback
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.mywa2pay.com - Viewing the decrypt instructions
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.micropaysearch.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.light2mind.com - Domain for decrypt instructions that did not resolve
• 6i3cb6owitcouepv.rightslavebb.com - Domain for decrypt instructions that did not resolve

 

TRAFFIC:

• 2015-07-15 16:17:22 UTC - semais.militarypopupweddings.com - GET /bakehouse/viewtopic.php?t=20&f=12673219

• 2015-07-15 16:17:25 UTC - semais.militarypopupweddings.com - GET /before.asmx?beyond=0st&hit=8eMwVsD&cover=NQ3&develop=ixPRg2oz4&
  same=E6-1XYRozp&private=bucTJ3oY&result=a0Kcq&factor=eVh

• 2015-07-15 16:17:32 UTC - semais.militarypopupweddings.com - GET /bakehouse/early.cha?remove=&sometimes=n3z7A5GPp&I=&freedom=zkDV90n&long=&
  test=prZBECiF60&price=FVNefpTQ&division=BCX&facility=joKn5MFvCM&fear=L

• 2015-07-15 16:17:33 UTC - semais.militarypopupweddings.com - GET /list.wpx?else=&so=J2RMut1R&buy=&for=ebIo_hXfz&problem=YLX&
  matter=ETTRWY&mind=ktFjZxN6Dv&marriage=5ClBLta7UHMg

• 2015-07-15 16:17:36 UTC - ip-addr.es - GET /

• 2015-07-15 16:17:37 UTC - spaparty.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/o2k7/img/b.php?n=3bckc292fh

• 2015-07-15 16:17:37 UTC - paternidadresponsable.com.mx - POST /wp-content/plugins/_backupwordpress/vendor/mikey179/vfsStream/src/test/
  resources/b.php?j=3bckc292fh

• 2015-07-15 16:17:40 UTC - spaparty.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/o2k7/img/b.php?a=pdxdfdjw63cg

• 2015-07-15 16:17:41 UTC - paternidadresponsable.com.mx - POST /wp-content/plugins/_backupwordpress/vendor/mikey179/vfsStream/src/test/
  resources/b.php?g=pdxdfdjw63cg

• 2015-07-15 16:17:44 UTC - spaparty.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/o2k7/img/b.php?w=915d87py35

• 2015-07-15 16:17:45 UTC - paternidadresponsable.com.mx - POST /wp-content/plugins/_backupwordpress/vendor/mikey179/vfsStream/src/test/
  resources/b.php?q=915d87py35

• 2015-07-15 16:17:54 UTC - spaparty.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/o2k7/img/b.php?g=33u4451uzu

• 2015-07-15 16:17:54 UTC - paternidadresponsable.com.mx - POST /wp-content/plugins/_backupwordpress/vendor/mikey179/vfsStream/src/test/
  resources/b.php?o=33u4451uzu

• 2015-07-15 16:18:06 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /-------
• 2015-07-15 16:18:07 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/style.css
• 2015-07-15 16:18:07 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/us.png
• 2015-07-15 16:18:08 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/it.png
• 2015-07-15 16:18:08 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/fr.png
• 2015-07-15 16:18:08 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/es.png
• 2015-07-15 16:18:08 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/de.png
• 2015-07-15 16:18:08 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /picture.php?k=1nswsiv&197956f70a4e7c6e93a967f8e793830c
• 2015-07-15 16:18:09 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lt.png
• 2015-07-15 16:18:09 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rt.png
• 2015-07-15 16:18:10 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lb.png
• 2015-07-15 16:18:10 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rb.png
• 2015-07-15 16:18:12 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /favicon.ico
• 2015-07-15 16:18:15 UTC - 6i3cb6owitcouepv.mywa2pay.com - POST /-------
• 2015-07-15 16:18:17 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/bitcoin.png
• 2015-07-15 16:18:17 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/button_pay.png
• 2015-07-15 16:18:24 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /-------
• 2015-07-15 16:18:26 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/style.css
• 2015-07-15 16:18:26 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/us.png
• 2015-07-15 16:18:27 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/it.png
• 2015-07-15 16:18:27 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/fr.png
• 2015-07-15 16:18:27 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/es.png
• 2015-07-15 16:18:27 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/de.png
• 2015-07-15 16:18:27 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /picture.php?k=1nswsiv&7aec2ca779022bf82600cf122ce20c7e
• 2015-07-15 16:18:28 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lt.png
• 2015-07-15 16:18:29 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rt.png
• 2015-07-15 16:18:29 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lb.png
• 2015-07-15 16:18:29 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rb.png
• 2015-07-15 16:18:31 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /favicon.ico
• 2015-07-15 16:18:34 UTC - 6i3cb6owitcouepv.micropaysearch.com - POST /-------
• 2015-07-15 16:18:36 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/bitcoin.png
• 2015-07-15 16:18:36 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP(s):  2015-07-15-Angler-EK-sends-CryptoWall-3.0.pcap.zip
• ZIP of the malware:  2015-07-15-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.