2015-09-08 - NEUTRINO EK FROM 46.108.156.190 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

• ZIP of the PCAP:  2015-09-08-Neutrino-EK-sends-CryptWall-3.0-traffic.pcap.zip
• ZIP archive of malware/artifacts:  2015-09-08-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was:  12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk

 

Shown above: Malicious script injected in page from compromised website.

Shown above: Bitcoin address from the CryptoWall 3.0 decrypt web page.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.108.156.190 port 5909 - xrmfwlwt.deltasig.xyz:5909 - Neutrino EK
• ip-addr.es - IP address check by the CryptoWall 3.0 malware
• 97.74.215.85 port 80 - drsrusso.com - CryptoWall 3.0 callback
• 80.78.251.161 port 80 - ayh2m57ruxjtwyd5.abctopayforwin.com - Page for decrypt instructions
• 80.78.251.161 port 80 - ayh2m57ruxjtwyd5.bcdthepaywayall.com - Page for decrypt instructions
• ayh2m57ruxjtwyd5.deballmoneypool.com - Domain for decrypt instructions that didn't resolve in DNS
• ayh2m57ruxjtwyd5.armnsoptionpay.com - Domain for decrypt instructions that didn't resolve in DNS

 

TRAFFIC:

• 2015-09-08 19:58:08 UTC - xrmfwlwt.deltasig.xyz:5909 - GET /2010/05/07/medical/equipment-tidings-double-snore-collapse-twin-loud-pursue-gradual-pleasure.html
• 2015-09-08 19:58:09 UTC - xrmfwlwt.deltasig.xyz:5909 - GET /northward/1769188/clasp-kindle-camera-altogether
• 2015-09-08 19:58:10 UTC - xrmfwlwt.deltasig.xyz:5909 - GET /tone/1151016/shoulder-source-perch-stern-rumble
• 2015-09-08 19:58:12 UTC - xrmfwlwt.deltasig.xyz:5909 - GET /once/eGxiZGZ3bw
• 2015-09-08 19:58:13 UTC - xrmfwlwt.deltasig.xyz:5909 - GET /fumble/herself-17781125
• 2015-09-08 19:58:18 UTC - ip-addr.es - GET /
• 2015-09-08 19:58:19 UTC - drsrusso.com - POST /mtqzpa/templates/ap4.php?r=k67c3fqr32xs
• 2015-09-08 19:58:22 UTC - drsrusso.com - POST /mtqzpa/templates/ap4.php?q=nvcp6inctn
• 2015-09-08 19:58:26 UTC - drsrusso.com - POST /mtqzpa/templates/ap4.php?e=9a1b2l8pik1
• 2015-09-08 19:58:38 UTC - drsrusso.com - POST /mtqzpa/templates/ap4.php?w=lk5102anfpz0bfw
• 2015-09-08 20:00:31 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - HTTP traffic when the user checked a decrypt page
• 2015-09-08 20:00:50 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - HTTP traffic when the user checked a decrypt page
• 2015-09-08 20:01:10 UTC - DNS query for: ayh2m57ruxjtwyd5.deballmoneypool.com
• 2015-09-08 20:01:14 UTC - DNS query for: ayh2m57ruxjtwyd5.armnsoptionpay.com

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-09-08-Neutrino-EK-sends-CryptWall-3.0-traffic.pcap.zip
• ZIP archive of malware/artifacts:  2015-09-08-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.