2015-07-27 - ANGLER EK FROM 69.162.116.253 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

• Zip archive of the traffic:  2015-07-27-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• Zip archive of the malware:  2015-07-27-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.excelsiorhotelhongkong.net - Compromised website
• 128.199.86.71 port 80 - roegrllj.hopto.org - Redirect/gate pointing to Angler EK
• 69.162.116.253 port 80 - ausgezaehltesfociavi.ladyelvis.ca - Angler EK
• 212.83.185.105 port 80 - moblineh.com - Post-infection CryptoWall 3.0 callback
• 54.187.137.89 port 80 - eduvantage.com - Post-infection CryptoWall 3.0 callback
• 95.163.121.212 port 80 - 6i3cb6owitcouepv.spatopayforwin.com - Viewing the decrypt instructions
• 95.163.121.212 port 80 - 6i3cb6owitcouepv.bythepaywayall.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.lowallmoneypool.com - domain for decrypt instructions that did not resolve in DNS
• 6i3cb6owitcouepv.transoptionpay.com - domain for decrypt instructions that did not resolve in DNS

 

TRAFFIC:

• 2015-07-27 15:11:24 UTC - www.excelsiorhotelhongkong.net - GET /
• 2015-07-27 15:11:26 UTC - roegrllj.hopto.org - GET /wordpress/?bf7N&utm_source=dazzer

• 2015-07-27 15:11:27 UTC - ausgezaehltesfociavi.ladyelvis.ca - GET /plaque/viewtopic.php?t=9600&f=aebf211gcd4141169
• 2015-07-27 15:11:29 UTC - ausgezaehltesfociavi.ladyelvis.ca - GET /total.xhtml?within=Fq0OZM8jp4&attitude=odP&class=&read=_5G7n0XpmZ9fWx
  YXQMKW8D1GV7heMUbAafO
• 2015-07-27 15:11:32 UTC - ausgezaehltesfociavi.ladyelvis.ca - GET /charge.dml?lady=VXvTq&other=TEOcV7m&suddenly=oU6PVU&company=4tO&
  fine=9HQ9cv7cO&poet=XFz&try=KshAD8&effect=huP423mJz

• 2015-07-27 15:11:38 UTC - ip-addr.es - GET /
• 2015-07-27 15:11:39 UTC - moblineh.com - POST /modules/mod_tower/rrrrr.php?c=rpsrdmg4hp
• 2015-07-27 15:11:39 UTC - moblineh.com - GET /cgi-sys/suspendedpage.cgi?c=rpsrdmg4hp
• 2015-07-27 15:11:40 UTC - eduvantage.com - POST /wp-content/uploads/rrrr.php?u=rpsrdmg4hp
• 2015-07-27 15:11:42 UTC - moblineh.com - POST /modules/mod_tower/rrrrr.php?i=0r4v3g1cex40s0m
• 2015-07-27 15:11:43 UTC - moblineh.com - GET /cgi-sys/suspendedpage.cgi?i=0r4v3g1cex40s0m
• 2015-07-27 15:11:43 UTC - eduvantage.com - POST /wp-content/uploads/rrrr.php?r=0r4v3g1cex40s0m
• 2015-07-27 15:11:46 UTC - moblineh.com - POST /modules/mod_tower/rrrrr.php?g=e6uh4sdoqgts
• 2015-07-27 15:11:47 UTC - moblineh.com - GET /cgi-sys/suspendedpage.cgi?g=e6uh4sdoqgts
• 2015-07-27 15:11:47 UTC - eduvantage.com - POST /wp-content/uploads/rrrr.php?h=e6uh4sdoqgts
• 2015-07-27 15:11:56 UTC - moblineh.com - POST /modules/mod_tower/rrrrr.php?c=28tyfu1ebf
• 2015-07-27 15:11:57 UTC - moblineh.com - GET /cgi-sys/suspendedpage.cgi?c=28tyfu1ebf
• 2015-07-27 15:11:57 UTC - eduvantage.com - POST /wp-content/uploads/rrrr.php?g=28tyfu1ebf
• 2015-07-27 15:12:11 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /removed
• 2015-07-27 15:12:12 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/style.css
• 2015-07-27 15:12:12 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/us.png
• 2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/es.png
• 2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/it.png
• 2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/fr.png
• 2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/de.png
• 2015-07-27 15:12:14 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /picture.php?k=1nswsiv&352fb25625b841239edae3598e303094
• 2015-07-27 15:12:14 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/lt.png
• 2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/rt.png
• 2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/lb.png
• 2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/rb.png
• 2015-07-27 15:12:17 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /favicon.ico
• 2015-07-27 15:12:21 UTC - 6i3cb6owitcouepv.spatopayforwin.com - POST /removed
• 2015-07-27 15:12:23 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/bitcoin.png
• 2015-07-27 15:12:23 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/button_pay.png
• 2015-07-27 15:13:02 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /removed
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/style.css
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/us.png
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/de.png
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/es.png
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/it.png
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/fr.png
• 2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /picture.php?k=1nswsiv&b23cb2379e4570a81be26b0ee1346d2f
• 2015-07-27 15:13:05 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/lt.png
• 2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/rt.png
• 2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/lb.png
• 2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/rb.png
• 2015-07-27 15:13:08 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /favicon.ico
• 2015-07-27 15:13:12 UTC - 6i3cb6owitcouepv.bythepaywayall.com - POST /removed
• 2015-07-27 15:13:14 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/bitcoin.png
• 2015-07-27 15:13:14 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/button_pay.png
• 2015-07-27 15:14:40 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/button_pay_sel.png

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2015-07-27-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• Zip archive of the malware:  2015-07-27-Angler-EK-and-CryptoWall-3.0-artifacts.zip

All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.