2015-07-31 - ANGLER EK FROM 69.162.112.181 SENDS CRYPTOWALL 3.0
ASSOCIATED FILES:
- Zip archive of the traffic: 2015-07-31-Angler-EK-pcaps.zip
- Zip archive of the malware: 2015-07-31-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
NOTES:
- Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU
TRAFFIC
ANGLER EK - EXAMPLE 1 OF 2 (2015-07-31 at 13:17 UTC):
- 69.162.112.181 port 80 - subcity.entreeonlinestore.com - GET /forums/viewtopic.php?t=53spa&f=ee7go0n4
- 69.162.112.181 port 80 - subcity.entreeonlinestore.com - GET /effect.esproj?service=E5VaQEhh&around=e9n7PdzRW&relate=gKg&claim=
KJfn_&herself=SCZkkQNqdq&mind=&member=TIGd&they=Ccx1OqPyf
- 69.162.112.181 port 80 - subcity.entreeonlinestore.com - GET /represent.a5w?window=q2YeY&shall=A6XoN&strength=aaUWf&including=
bi-pOe2A&field=zTkKToXWzK&allow=axzFH&English=_30Agg65Xx
ANGLER EK - EXAMPLE 2 OF 2 (2015-07-31 at 13:23 UTC):
- 69.162.112.181 port 80 - wiedererzaehltem.entreeonlinestore.com - GET /forums/viewforum.php?f=72qxm&sid=lnehl180
- 69.162.112.181 port 80 - wiedererzaehltem.entreeonlinestore.com - GET /respect.rjs?aid=FE0&foot=BGTs0ObcrV&general=qev0&dark=
pYokFijo0TinWWYyu6bLvW-K1hnFgO0
- 69.162.112.181 port 80 - wiedererzaehltem.entreeonlinestore.com - GET /could.jsp?buy=XU1AeDDHxz&earth=&rate=oFMjMt&rest=&boat=
Q-9&organization=0Qp018v61r&hotel=o3oUvyis&let=Q1J&that=dxI&reach=0EH44
CRYPTOWALL 3.0 POST-INFECTION TRAFFIC (FROM EXAMPLE 2 OF 2):
- ip-addr.es - GET / [IP address check]
- 49.50.8.41 port 80 - homestyle1974.com - POST /wp-content/uploads/rrr.php?[single letter]=[random string]
- 194.228.50.123 port 80 - kesbuk.cz - POST /wp-content/uploads/rrrr.php?[single letter]=[random string]
- 81.177.167.191 port 80 - 6i3cb6owitcouepv.spatopayforwin.com - Decrypt instructions web page
- 81.177.167.191 port 80 - 6i3cb6owitcouepv.bythepaywayall.com - Decrypt instructions web page
- 6i3cb6owitcouepv.lowallmoneypool.com - Domain for decrypt instructions that did not resolve
- 6i3cb6owitcouepv.transoptionpay.com - Domain for decrypt instructions that did not resolve
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2015-07-31-Angler-EK-pcaps.zip
- Zip archive of the malware: 2015-07-31-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.