2015-07-16 - ANGLER EK FROM 206.190.134.188 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP(s):  2015-07-16-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-16-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS:

• 94.131.14.28 port 80 - uhadnw.hopto.org - Redirect from compromised website to Angler
• 206.190.134.188 port 80 - serrulateedlperroch.ajuuas-odessa.com - Angler EK
• 64.90.49.124 port 80 - michaelserwa.com - Post-infection CryptoWall 3.0 traffic
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.mywa2pay.com - Viewing the decrypt instructions
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.micropaysearch.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.light2mind.com - Domain for decrypt instructions that didn't resolve
• 6i3cb6owitcouepv.rightslavebb.com - Domain for decrypt instructions that didn't resolve

 

TRAFFIC:

• 2015-07-16 15:03:05 UTC - uhadnw.hopto.org - GET /wordpress/?bf7N&utm_source=le

• 2015-07-16 15:03:07 UTC - serrulateedlperroch.ajuuas-odessa.com - GET /emolument/viewtopic.php?t=40&f=18283025

• 2015-07-16 15:03:11 UTC - serrulateedlperroch.ajuuas-odessa.com - GET /really.docmhtml?free=O7TXKeaOWb&tooth=UYHNky-D8&bill=lfGCaAj&God=149iv&
  than=EXm7X3kKY8&much=&French=qu1XH81

• 2015-07-16 15:03:14 UTC - serrulateedlperroch.ajuuas-odessa.com - GET /several.sites2?attend=SzF8lBbV7B&far=&other=5bG&be=JvIxcW7ri&speak=&
  provide=jS-oaj6Gg&God=0IeQI&one=AKPn4QmrMbTw

• 2015-07-16 15:03:19 UTC - serrulateedlperroch.ajuuas-odessa.com - GET /emolument/oil.ashx?ride=&manager=HHX&drive=&temperature=OoYVqeOG&
  right=4C5Xkcynb&rather=&cut=NNStAWfolTQ5uuN7ZsHwJDVdEQCW

• 2015-07-16 15:03:23 UTC - ip-addr.es - GET /
• 2015-07-16 15:03:25 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?i=06sqbz12x9gw
• 2015-07-16 15:03:28 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?c=k28yrc09wsev
• 2015-07-16 15:03:32 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?f=t3mbjwemoqt
• 2015-07-16 15:04:04 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?g=qbwttp03l0
• 2015-07-16 15:04:20 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /-------
• 2015-07-16 15:04:21 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/style.css
• 2015-07-16 15:04:23 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/us.png
• 2015-07-16 15:04:24 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/es.png
• 2015-07-16 15:04:24 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/it.png
• 2015-07-16 15:04:24 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /picture.php?k=1nswsiv&ecbded3b282639c72785713d1feee3d1
• 2015-07-16 15:04:24 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/de.png
• 2015-07-16 15:04:24 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lt.png
• 2015-07-16 15:04:25 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/fr.png
• 2015-07-16 15:04:25 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rt.png
• 2015-07-16 15:04:25 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lb.png
• 2015-07-16 15:04:26 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rb.png
• 2015-07-16 15:04:27 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /favicon.ico
• 2015-07-16 15:04:34 UTC - 6i3cb6owitcouepv.mywa2pay.com - POST /-------
• 2015-07-16 15:04:38 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/ca.png
• 2015-07-16 15:04:38 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/bitcoin.png
• 2015-07-16 15:04:38 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/button_pay.png
• 2015-07-16 15:06:53 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /-------
• 2015-07-16 15:06:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/style.css
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/us.png
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/it.png
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/es.png
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /picture.php?k=1nswsiv&13c9abbf7bc2de639ecd5dfbd905ae9d
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rt.png
• 2015-07-16 15:06:58 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rb.png
• 2015-07-16 15:07:00 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/fr.png
• 2015-07-16 15:07:00 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/de.png
• 2015-07-16 15:07:00 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lt.png
• 2015-07-16 15:07:00 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lb.png
• 2015-07-16 15:07:02 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /favicon.ico
• 2015-07-16 15:07:04 UTC - 6i3cb6owitcouepv.micropaysearch.com - POST /-------
• 2015-07-16 15:07:06 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/ca.png
• 2015-07-16 15:07:06 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/bitcoin.png
• 2015-07-16 15:07:06 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay.png
• 2015-07-16 15:07:12 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay_sel.png

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• 206.190.134.188 port 80 - commisissemus.cancerexpo.com - Angler EK
• 205.186.156.195 port 80 - ibjja.com - Post-infection CryptoWall 3.0 traffic

 

TRAFFIC:

• 2015-07-16 15:23:26 UTC - commisissemus.cancerexpo.com - GET /monomolecular/viewtopic.php?t=39&f=20573126

• 2015-07-16 15:23:30 UTC - commisissemus.cancerexpo.com - GET /still.ppthtml?life=T8v-&good=&express=qpt4z&these=&spend=lG77k&
  influence=zujdH9LTDs&because=8v1f&well=&that=HPJ-2UR1y&expect=&change=bMhmAcBzHT&vary=W

• 2015-07-16 15:23:33 UTC - commisissemus.cancerexpo.com - GET /monomolecular/poet.website?direction=NzOT2gax&draw=&more=hDzF6-Q&
  finish=&reach=YDv3QN&deal=&especially=QoFCkc&paper=f2BEtJ&company=pGDKC&both=ICBfRnj¢ral=oRr

• 2015-07-16 15:23:34 UTC - commisissemus.cancerexpo.com - GET /than.iwdgt?hang=_U4y&color=noq2Z7vsa0&more=aUXIDZ_&date=jrt&
  difficulty=L8L9r4ZEzZ&policy=PiMdXiOix&any=POoYH

• 2015-07-16 15:23:42 UTC - ip-addr.es - GET /
• 2015-07-16 15:23:43 UTC - ibjja.com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?o=ogwh94w53ylq2p
• 2015-07-16 15:23:46 UTC - ibjja.com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?s=hcg1roit8y8
• 2015-07-16 15:23:49 UTC - ibjja.com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?y=ldo61h1m3irff65
• 2015-07-16 15:23:58 UTC - ibjja.com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?e=7202mtc4kna

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP(s):  2015-07-16-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-16-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.