2015-09-03 - ANGLER EK SENDS TESLACRYPT 2.0 RANSOMWARE ONE DAY, THEN CRYPTOWALL 3.0 RANSOMWARE THE NEXT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-09-03-Angler-EK-sends-ransomware-traffic-2-pcaps.zip
• 2015-09-03-Angler-EK-and-ransomware-files.zip

 

NOTES:

• The actor that's been switching between Angler and Neutrino EK to send TeslaCrypt 2.0 ransomware was back to Angler on 2015-09-02.  The next day on 2015-09-03, I saw Angler send CryptoWall 3.0 ransomware.

 

Shown above: Iframe from compromised website on Wendesday, 2015-09-02.  Ended up with TeslaCrypt 2.0.

 

Shown above: Iframe from compromised website on Thursday, 2015-09-03.  Ended up with CryptoWall 3.0.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• makerfairetulsa[.]com - Compromised website (appears to be fixed as of 2015-09-03)
• 74.63.253[.]83 port 80 - zukov-villenvi.honeybeeology[.]com - Angler EK
• 79.96.158[.]60 port 80 - light-tech[.]pl - TeslaCrypt 2.0 ransomware callback

• guesswhobentonville[.]com - Compromised website on 2015-09-03
• 31.148.220[.]181 port 80 - kaaiuitingen.freepregnancytips[.]com - Angler EK
• 184.168.174[.]1 port 80 - fundmymission[.]org - CryptoWall 3.0 ransomware callback
• 80.78.251[.]161 port 80 - ayh2m57ruxjtwyd5.abctopayforwin[.]com - Using viewing one of the decrypt instruction pages
• 80.78.251[.]161 port 80 - ayh2m57ruxjtwyd5.bcdthepaywayall[.]com - Using viewing one of the decrypt instruction pages

 

2015-09-02 - ANGLER EK SENDS TESLACRYPT 2.0 RANSOMWARE:

• 2015-09-02 22:54:15 UTC - makerfairetulsa[.]com - GET /

• 2015-09-02 22:54:17 UTC - zukov-villenvi.honeybeeology[.]com - GET /forums/search.php?keywords=8k9r&fid0=1ld7n565m3.6c8&

• 2015-09-02 22:54:19 UTC - zukov-villenvi.honeybeeology[.]com - GET /claim.wdgt?glass=w_MDYCWM&little=78h-EUKo&
  relationship=gPQHqTDk_4S8WcXqtvZ6-xqfqPW5xvaa

• 2015-09-02 22:54:19 UTC - zukov-villenvi.honeybeeology[.]com POST /forums/English.jspa?low=vg2jLkeGTn&slowly=&course=98Okz7s&
  have=j8GuVxS79&learn=ndesnGg&second=2wKe&bill=bec7&ball=&rest=NQoOZll

• 2015-09-02 22:54:20 UTC - zukov-villenvi.honeybeeology[.]com - GET /claim.wdgt?glass=w_MDYCWM&little=78h-EUKo&
  relationship=gPQHqTDk_4S8WcXqtvZ6-xqfqPW5xvaa

• 2015-09-02 22:54:23 UTC - zukov-villenvi.honeybeeology[.]com - GET /old.edge?though=&actually=SbpVpx6Qf_&limit=XUvXGoX2TV&
  of=Hv9orD&dark=HTiZ&God=aWgBVp&datum=LBTkDsI&horse=IiJ09

• 2015-09-02 22:54:26 UTC - zukov-villenvi.honeybeeology[.]com - GET /create.php?know=aqsbEyOH&you=skf_C&except=Pg8R_F&
  visit=Xdy7B0&line=gfit-mkHJb&national=weW&represent=&friend=x_bGQS&those=&deal=vA7y

• 2015-09-02 22:54:29 UTC - ipinfo[.]io - GET /ip
• 2015-09-02 22:54:29 UTC - light-tech[.]pl - GET /wp-content/plugins/gallery-slider/misc.php?D0B1745184D4B19[long string of characters]
• 2015-09-02 22:54:46 UTC - light-tech[.]pl - GET /wp-content/plugins/gallery-slider/misc.php?D3ECA3EC23AA62A[long string of characters]

 

2015-09-03 - ANGLER EK SENDS CRYPTOWALL 3.0 RANSOMWARE:

• 2015-09-03 20:40:36 UTC - guesswhobentonville[.]com - GET /

• 2015-09-03 20:40:41 UTC - kaaiuitingen.freepregnancytips[.]com - GET /boards/search.php?keywords=527&fid0=2wua1v70.16764y5f2617&

• 2015-09-03 20:40:44 UTC - kaaiuitingen.freepregnancytips[.]com - GET /food.asp?heart=mlX&walk=blPg&husband=&side=sI1dzcRCu&death=&
  carry=nz-mr3q4dmZGRGHisl5ANG2a4rU11oSF

• 2015-09-03 20:40:44 UTC - kaaiuitingen.freepregnancytips[.]com POST /boards/suffer.php4?from=gdiPOD6Cmn&treatment=do8Qs4&
  you=ADY0Py3W&after=EL6sh&pick=&mile=Nmhgi3bi6LZlbr9J9JP

• 2015-09-03 20:40:44 UTC - kaaiuitingen.freepregnancytips[.]com - GET /food.asp?heart=mlX&walk=blPg&husband=&side=sI1dzcRCu&death=&
  carry=nz-mr3q4dmZGRGHisl5ANG2a4rU11oSF

• 2015-09-03 20:40:50 UTC - kaaiuitingen.freepregnancytips[.]com - GET /afternoon.zhtml?generally=SdZU9ea-&determine=aGG9Gp&
  improve=5CN&least=OMpmo6oCJ4uB31CmZfIMjtzhaBuaf_K

• 2015-09-03 20:40:52 UTC - kaaiuitingen.freepregnancytips[.]com - GET /of.lbc?reduce=&literature=ZpAhI-AokG&club=&entire=MdGTPBx&
  university=&policy=cQrTnleEf&we=XEBNH6ezP&cost=k8L5-&importance=G55Ygh8T

• 2015-09-03 20:40:55 UTC - ip-addr[.]es - GET /
• 2015-09-03 20:40:56 UTC - fundmymission[.]org - POST /wp-includes/theme-compat/ap5.php?k=nv7rw9grj4ey
• 2015-09-03 20:40:59 UTC - fundmymission[.]org - POST /wp-includes/theme-compat/ap5.php?h=u1sxvxzi0ryu1
• 2015-09-03 20:41:02 UTC - fundmymission[.]org - POST /wp-includes/theme-compat/ap5.php?p=judej9e7mzep
• 2015-09-03 20:41:10 UTC - fundmymission[.]org - POST /wp-includes/theme-compat/ap5.php?n=goy167r7311k
• 2015-09-03 20:41:38 UTC - ayh2m57ruxjtwyd5.abctopayforwin[.]com - HTTP GET and POST requests when checking the decrypt instructions
• 2015-09-03 20:42:02 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall[.]com - HTTP GET and POST requests when checking the decrypt instructions

 

Click here to return to the main page.