2015-08-24 - ANGLER EK FROM 31.148.219.194 SENDS TESLACRYPT 2.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-08-24-Angler-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
• ZIP file of the malware:  2015-08-24-Angler-EK-sends-Teslacrypt-2.0-artifacts.zip

 

NOTES:

• Kafeine tweeted about this ransomware on 2015-07-13 ( link ).
• The next day on Securelist.com, Kaspersky Lab released details on how TeslaCrypt, now at version 2.0, has been impersonating CryptoWall 3.0 ( link ).
• I got an sample from Nuclear EK on 2015-07-20 ( link ).
• At first glance, it might look like CryptoWall 3.0, but artifacts & traffic from the infected host show this is an updated version of TeslaCrypt (also known as AlphaCrypt).
• Images from the infected host are below.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.eductory.com - Compromised website
• 31.148.219.194 port 80 - crisanto-ungeisen.ballgame.photos - Angler EK
• ipinfo.io - IP address check by the TeslaCrypt 2.0
• 192.185.171.111 port 80 - www.micropiso.cl - Post-infection callback from the TeslaCrypt 2.0
• 78.47.143.212 port 80 - qw2234duoiyu.h2fyr6785jhdhfg.com - User checking the decrypt instructions
• 104.18.41.9 port 80 - awoeinf832as.wo49i277rnw.com - User checking the decrypt instructions

 

COMPROMISED WEBSITE:

• 2015-08-24 14:43:22 UTC - www.eductory.com - GET /

 

ANGLER EK:

• 2015-08-24 14:43:29 UTC - crisanto-ungeisen.ballgame.photos - GET /boards/viewtopic.php?t=351u&f=n5511lg3.30ch118995cl80&

• 2015-08-24 14:43:34 UTC - crisanto-ungeisen.ballgame.photos - GET /an.webarchivexml?committee=zfZ5tB&at=RSIBzf&determine=U5Rc&question=&
  watch=KHvzV&prevent=&nearly=IYjtXMSEt&already=uvJi0_fB6PzSv6Zdwm

• 2015-08-24 14:43:34 UTC - crisanto-ungeisen.ballgame.photos - POST /boards/carry.wpp?procedure=&letter=FGwkh&think=uu_&one=n-2Q3_L&
  production=BQHDXPiFY0-n0lMypLFO_NZaty0lRbmlC (application/json)

• 2015-08-24 14:43:38 UTC - crisanto-ungeisen.ballgame.photos - GET /knowledge.muse?time=hbJaH_&opportunity=h-Tv8&research=8135nOX&
  leave=&product=OllY5&boat=¬e=-b3pZLjT7W&strike=&half=Wqb26Li&ready=&job=pXi6M3Oq

 

POST-INFECTION TRAFFIC:

• 2015-08-24 14:43:42 UTC - ipinfo.io - GET /ip
• 2015-08-24 14:43:44 UTC - www.micropiso.cl - GET /wp-content/themes/r.php?D0B1745184D4B19325F8CA239D78E80447B30D1AA023E90D348F129845
  BED2C6232C0D4FB0483B0A67CABEC4CDAFA704348DA909500BAA45B09893313E125115E7532E75D1C9258BE6ECBFCEE78E003BBF6659880E50D80
  4DE812F91C4174244CA947F39F557D73983824B3E18AE2C169F3439C51CD4D2A07CB5C5DF5944A0D6A9DF6CA25E99FD65B59716C2C10D92075E4F
  FA08BF655755611730083FBE8558B1586B3523028C193AD596ACAA31051DB7442872BA4705AD371BDA7D4821A363D128226386BF1E35D9C3DF03481
  557099C3C7227452020AAEAB66A33C3CFDBED
• 2015-08-24 14:44:12 UTC - www.micropiso.cl - GET /wp-content/themes/r.php?D3ECA3EC23AA62A397F6CA71219BA2F09ECF3FC7527C84B91E67D326B
  792839F0BB52641389B2E2B1C50466D4F043C4408BD9347DB38EB235E8306AC72FB3058B17032B43F784D1FFC92282F1D2C76E94419913716E14060
  5659A732A922757518FACDBC94B024358D4D14DC5294EE2EF22F1172204FFD068CF364F3DC3B57DB7F228E6917DD6FDA7BCBDF4621BC7E274A8B
  D2C5BDDA83FDE16933CDA492802FB351F6A24052F747EDAD86EFBACAA3BF
• 2015-08-24 14:45:12 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /[info removed]
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/style.css
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/flags/us.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/flags/es.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/flags/fr.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/flags/it.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/flags/de.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /captcha.php
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/lt.png
• 2015-08-24 14:45:13 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/rt.png
• 2015-08-24 14:45:14 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/lb.png
• 2015-08-24 14:45:14 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/rb.png
• 2015-08-24 14:45:15 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /favicon.ico
• 2015-08-24 14:45:18 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - POST /[info removed]
• 2015-08-24 14:45:19 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /service.php
• 2015-08-24 14:45:24 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/bitcoin.png
• 2015-08-24 14:45:24 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/button_pay.png
• 2015-08-24 14:45:54 UTC - qw2234duoiyu.h2fyr6785jhdhfg.com - GET /img/button_pay_sel.png
• 2015-08-24 14:46:02 UTC - awoeinf832as.wo49i277rnw.com - GET /[info removed]
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/style.css
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/flags/us.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/flags/it.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/flags/fr.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/flags/es.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/flags/de.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /captcha.php
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/lt.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/rt.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/lb.png
• 2015-08-24 14:46:03 UTC - awoeinf832as.wo49i277rnw.com - GET /img/rb.png
• 2015-08-24 14:46:04 UTC - awoeinf832as.wo49i277rnw.com - GET /favicon.ico
• 2015-08-24 14:46:12 UTC - awoeinf832as.wo49i277rnw.com - POST /[info removed]
• 2015-08-24 14:46:14 UTC - awoeinf832as.wo49i277rnw.com - GET /service.php
• 2015-08-24 14:46:15 UTC - awoeinf832as.wo49i277rnw.com - GET /img/bitcoin.png
• 2015-08-24 14:46:15 UTC - awoeinf832as.wo49i277rnw.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP of the PCAP:  2015-08-24-Angler-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
• ZIP file of the malware:  2015-08-24-Angler-EK-sends-Teslacrypt-2.0-artifacts.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.