2015-07-23 - ANGLER EK FROM 216.245.213.141 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-07-23-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP of the malware:  2015-07-23-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was:  1LY58fiaAYFKgev67TN1UJtRveJh81D2dU
• This is the same address I've seen from Angler EK CryptoWall 3.0 since the beginning of July 2015.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 216.245.213.141 port 80 - verzakki.hip-oh.com - Angler EK
• ip-addr.es - IP address check by the infected machine (caused by CryptoWall 3.0)
• 64.90.49.124 port 80 - michaelserwa.com - CryptoWall 3.0 callback
• 46.30.43.66 port 80 - 6i3cb6owitcouepv.misterhoppo.com - Viewing the decrypt instructions
• 46.30.43.66 port 80 - 6i3cb6owitcouepv.ministryordas.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.winingpicturess.com - Domain in decrypt instructions that didn't resolve
• 6i3cb6owitcouepv.welcome2payload.su - Domain in decrypt instructions that didn't resolve

 

ANGLER EK:

• 2015-07-23 18:50:20 UTC - verzakki.hip-oh.com - GET /overviews/viewtopic.php?t=3711&f=529640774

• 2015-07-23 18:50:23 UTC - verzakki.hip-oh.com - GET /necessary.vbhtml?scene=F1SeJ&necessary=2c3O5mWN&have=AL_K&enemy=6stuMd&they=&
  drop=yxeJTFWA&throw=rwyK8IkBW&prove=&private=WtPEJW&purpose=JU

• 2015-07-23 18:50:26 UTC - verzakki.hip-oh.com - GET /white.wpx?sure=&person=n1Xk8vgm&simple=&figure=RxjX4fBuSN&how=&wish=Ch496hXTOV&
  own=RKy&form=6y9rA&fix=n5VjSe6f&hear=RzzE

 

POST-INFECTION TRAFFIC CAUSED BY CRYPTOWALL 3.0:

• 2015-07-23 18:50:35 UTC - ip-addr.es - GET /
• 2015-07-23 18:50:35 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?e=mma3j1ngs7h5x
• 2015-07-23 18:50:38 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?q=tlgwzydqnr9yd5
• 2015-07-23 18:50:41 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?y=g7dpi69yp9tqma
• 2015-07-23 18:50:50 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?p=bsx08d9tjfiu7
• 2015-07-23 18:51:01 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /-------
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/style.css
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/us.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/fr.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/de.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/es.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/flags/it.png
• 2015-07-23 18:51:05 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /picture.php?k=1nswsiv&8720cb9b42ee81c03c11c9defb91cb2d
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/lt.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/rt.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/lb.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/rb.png
• 2015-07-23 18:51:09 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /favicon.ico
• 2015-07-23 18:51:14 UTC - 6i3cb6owitcouepv.misterhoppo.com - POST /-------
• 2015-07-23 18:51:18 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/bitcoin.png
• 2015-07-23 18:51:18 UTC - 6i3cb6owitcouepv.misterhoppo.com - GET /img/button_pay.png
• 2015-07-23 18:51:38 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /-------
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/style.css
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/flags/us.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/flags/it.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/flags/es.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/flags/fr.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/flags/de.png
• 2015-07-23 18:51:42 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /picture.php?k=1nswsiv&84ebeb50eda94cb4fa0a747e5b7732d6
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/lt.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/rt.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/lb.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/rb.png
• 2015-07-23 18:51:46 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /favicon.ico
• 2015-07-23 18:51:50 UTC - 6i3cb6owitcouepv.ministryordas.com - POST /-------
• 2015-07-23 18:51:53 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/bitcoin.png
• 2015-07-23 18:51:53 UTC - 6i3cb6owitcouepv.ministryordas.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-07-23-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP of the malware:  2015-07-23-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.