2015-08-13 - ANGLER EK FROM 176.9.197.68 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-08-13-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:   2015-08-13-Angler-EK-and-CryptoWall-3.0-artifacts.zip

 

NOTES:

• On Monday 2015-08-10, FireEye published an article about the Angler exploit kit (EK) using an Inernet Explorer (IE) exploit based on CVE-2015-2419.
• Kafeine at the Malware Don't Need Coffee blog did a write-up on it, along with Jérôme Segura at Malwarebytes (link), and I'm sure others by now.
• This and my previous blog entry on Angler EK from 2015-08-10 have traffic using the CVE-2015-2419 IE exploit.

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was:  1LY58fiaAYFKgev67TN1UJtRveJh81D2dU

Shown above: Malicious script in page from compromised website.  The iframe points to an Angler EK landing page.

Shown above: Part of the CryptoWall 3.0 decrypt instructions from a browser window.

 

TRAFFIC

ASSOCIATED DOMAINS:

• actionasia.com - Compromised website
• 176.9.197.68 port 80 - paremmuus-haibun.casefollowup.com - Angler EK
• 192.185.241.107 port 80 - content-into-cash.com - Post-infection callback by CryptoWall 3.0
• 69.89.31.99 port 80 - cprnash.com - Post-infection callback by CryptoWall 3.0
• 208.113.240.70 port 80 - conopizzavenezuela.com - Post-infection callback by CryptoWall 3.0
• 109.73.172.51 port 80 - aplikacii.com - Post-infection callback by CryptoWall 3.0
• 192.185.182.83 port 80 - couponsonakeychain.com - Post-infection callback by CryptoWall 3.0
• 72.167.1.128 port 80 - futurecomtechnologies.com - Post-infection callback by CryptoWall 3.0
• 80.78.251.170 port 80 - 6i3cb6owitcouepv.spatopayforwin.com - User viewing the decrypt instructions
• 46.108.156.176 port 80 - 6i3cb6owitcouepv.bythepaywayall.com - User viewing the decrypt instructions
• 6i3cb6owitcouepv.lowallmoneypool.com - Domain for decrypt instructions that didn't resolve in DNS
• 6i3cb6owitcouepv.transoptionpay.com - Domain for decrypt instructions that didn't resolve in DNS

 

COMPROMISED WEBSITE:

• 2015-08-13 12:59:59 UTC - actionasia.com - GET /

 

ANGLER EK:

• 2015-08-13 13:00:05 UTC - paremmuus-haibun.casefollowup.com - GET /civis/search.php?keywords=91j&fid0=96.pm9696m65r3f5178&

• 2015-08-13 13:00:07 UTC - paremmuus-haibun.casefollowup.com - GET /area.jss?army=&party=IgT7O&on=&remain=THELsSg_tn&
  good=zUjVPAsUKa&word=sKTcLSi__FqW1ZgP4kT-Qu0

• 2015-08-13 13:00:07 UTC - paremmuus-haibun.casefollowup.com - POST /civis/before.zul?demand=&city=3MapGK&along=&but=MTVzrNav&
  anyone=lp6XWQNCZ4tLWTZfXpf5OV_M-LxSNCACnT

• 2015-08-13 13:00:10 UTC - paremmuus-haibun.casefollowup.com - GET /attitude.codasite?machine=&into=PrPXA5d9PT&responsibility=&
  number=Uy6&anyone=&cell=W6f68&during=XdneYH&top=lhfcSuovyz3bH9jUYynb8uOn

• 2015-08-13 13:00:17 UTC - paremmuus-haibun.casefollowup.com - GET /kill.cfm?patient=iawJf&describe=ACx1WfgDs&will=5qzHxk&an=&
  country=pMV6&mean=Y10Nxz4KP&report=24N0zyV3u&saint=oNjghq

 

POST-INFECTION CALLBACK BY CRYPTOWALL 3.0:

• 2015-08-13 13:00:19 UTC - ip-addr.es - GET /
• 2015-08-13 13:00:19 UTC - content-into-cash.com - POST /wp-content/plugins/pretty-link/cc.php?c=ktnk6wssy2s5lx
• 2015-08-13 13:02:23 UTC - ip-addr.es - GET /
• 2015-08-13 13:02:24 UTC - content-into-cash.com - POST /wp-content/plugins/pretty-link/cc.php?t=m8rm1qr8q3q3d
• 2015-08-13 13:02:28 UTC - cprnash.com - POST /wp-content/themes/twentytwelve/c.php?l=m8rm1qr8q3q3d
• 2015-08-13 13:02:31 UTC - conopizzavenezuela.com - POST /wp-content/plugins/stickyfooter/ccccc.php?n=m8rm1qr8q3q3d
• 2015-08-13 13:02:32 UTC - aplikacii.com - POST /openx/www/delivery/ccc.php?s=m8rm1qr8q3q3d
• 2015-08-13 13:02:35 UTC - couponsonakeychain.com - POST /wp-content/plugins/wp-smushit/ccc.php?i=m8rm1qr8q3q3d
• 2015-08-13 13:02:39 UTC - conopizzabrasil.com - POST /wp-content/plugins/revision-control/ccc.php?k=m8rm1qr8q3q3d
• 2015-08-13 13:02:40 UTC - futurecomtechnologies.com - POST /wp-content/plugins/jetpack/ccccc.php?l=m8rm1qr8q3q3d
• 2015-08-13 13:02:42 UTC - content-into-cash.com - POST /wp-content/plugins/pretty-link/cc.php?i=t2ofm9adha31sj4
• 2015-08-13 13:02:52 UTC - cprnash.com - POST /wp-content/themes/twentytwelve/c.php?j=t2ofm9adha31sj4
• 2015-08-13 13:02:56 UTC - conopizzavenezuela.com - POST /wp-content/plugins/stickyfooter/ccccc.php?g=t2ofm9adha31sj4
• 2015-08-13 13:02:56 UTC - aplikacii.com - POST /openx/www/delivery/ccc.php?i=t2ofm9adha31sj4
• 2015-08-13 13:03:00 UTC - couponsonakeychain.com - POST /wp-content/plugins/wp-smushit/ccc.php?g=t2ofm9adha31sj4
• 2015-08-13 13:03:02 UTC - conopizzabrasil.com - POST /wp-content/plugins/revision-control/ccc.php?f=t2ofm9adha31sj4
• 2015-08-13 13:03:03 UTC - futurecomtechnologies.com - POST /wp-content/plugins/jetpack/ccccc.php?e=t2ofm9adha31sj4
• 2015-08-13 13:03:06 UTC - content-into-cash.com - POST /wp-content/plugins/pretty-link/cc.php?d=ngo3ltzupfcsr
• 2015-08-13 13:03:10 UTC - cprnash.com - POST /wp-content/themes/twentytwelve/c.php?h=ngo3ltzupfcsr
• 2015-08-13 13:03:14 UTC - conopizzavenezuela.com - POST /wp-content/plugins/stickyfooter/ccccc.php?j=ngo3ltzupfcsr
• 2015-08-13 13:03:14 UTC - aplikacii.com - POST /openx/www/delivery/ccc.php?w=ngo3ltzupfcsr
• 2015-08-13 13:03:19 UTC - couponsonakeychain.com - POST /wp-content/plugins/wp-smushit/ccc.php?q=ngo3ltzupfcsr
• 2015-08-13 13:03:20 UTC - conopizzabrasil.com - POST /wp-content/plugins/revision-control/ccc.php?z=ngo3ltzupfcsr
• 2015-08-13 13:03:21 UTC - futurecomtechnologies.com - POST /wp-content/plugins/jetpack/ccccc.php?c=ngo3ltzupfcsr
• 2015-08-13 13:03:30 UTC - content-into-cash.com - POST /wp-content/plugins/pretty-link/cc.php?u=wy1p1k2jjsn93
• 2015-08-13 13:03:40 UTC - cprnash.com - POST /wp-content/themes/twentytwelve/c.php?w=wy1p1k2jjsn93
• 2015-08-13 13:03:42 UTC - conopizzavenezuela.com - POST /wp-content/plugins/stickyfooter/ccccc.php?z=wy1p1k2jjsn93
• 2015-08-13 13:03:44 UTC - aplikacii.com - POST /openx/www/delivery/ccc.php?n=wy1p1k2jjsn93
• 2015-08-13 13:03:46 UTC - couponsonakeychain.com - POST /wp-content/plugins/wp-smushit/ccc.php?m=wy1p1k2jjsn93
• 2015-08-13 13:03:48 UTC - conopizzabrasil.com - POST /wp-content/plugins/revision-control/ccc.php?k=wy1p1k2jjsn93
• 2015-08-13 13:03:49 UTC - futurecomtechnologies.com - POST /wp-content/plugins/jetpack/ccccc.php?g=wy1p1k2jjsn93

 

WHERE THE USER CLICKED ON LINKS, ENTERED THE CAPTCHA, AND VIEWED THE DECRYPT PAGES:

• 2015-08-13 13:17:25 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /[info removed]
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/style.css
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/us.png
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/it.png
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/fr.png
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/es.png
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/de.png
• 2015-08-13 13:17:28 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /picture.php?k=[info removed]&41a2517c80260a2dafab46d799fe624e
• 2015-08-13 13:17:29 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/lt.png
• 2015-08-13 13:17:30 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/rt.png
• 2015-08-13 13:17:30 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/lb.png
• 2015-08-13 13:17:30 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/rb.png
• 2015-08-13 13:17:32 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /favicon.ico
• 2015-08-13 13:17:38 UTC - 6i3cb6owitcouepv.spatopayforwin.com - POST /[info removed]
• 2015-08-13 13:17:40 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/flags/gb.png
• 2015-08-13 13:17:40 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/bitcoin.png
• 2015-08-13 13:17:40 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /img/button_pay.png
• 2015-08-13 13:17:58 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /[info removed]
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/style.css
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/us.png
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/fr.png
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/es.png
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/it.png
• 2015-08-13 13:18:00 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/de.png
• 2015-08-13 13:18:01 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /picture.php?k=[info removed]&36890bfcb99df47dac0bc35008a70389
• 2015-08-13 13:18:01 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/lt.png
• 2015-08-13 13:18:01 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/rt.png
• 2015-08-13 13:18:01 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/lb.png
• 2015-08-13 13:18:01 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/rb.png
• 2015-08-13 13:18:03 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /favicon.ico
• 2015-08-13 13:18:07 UTC - 6i3cb6owitcouepv.bythepaywayall.com - POST /[info removed]
• 2015-08-13 13:18:10 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/flags/gb.png
• 2015-08-13 13:18:10 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/bitcoin.png
• 2015-08-13 13:18:10 UTC - 6i3cb6owitcouepv.bythepaywayall.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-08-13-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:   2015-08-13-Angler-EK-and-CryptoWall-3.0-artifacts.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.