2015-09-08 - NEUTRINO EK FROM 46.108.156[.]190 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-09-08-Neutrino-EK-sends-CryptWall-3.0-ransomware-traffic.pcap.zip
• 2015-09-08-Neutrino-EK-and-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 ransomware sample's ransom payment was:  12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk

 

Shown above: Malicious script injected in page from compromised website.

Shown above: Bitcoin address from the CryptoWall 3.0 ransomware decrypt web page.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.108.156[.]190 port 5909 - xrmfwlwt.deltasig[.]xyz:5909 - Neutrino EK
• ip-addr[.]es - IP address check by the CryptoWall 3.0 ransomware
• 97.74.215[.]85 port 80 - drsrusso[.]com - CryptoWall 3.0 ransomware callback
• 80.78.251[.]161 port 80 - ayh2m57ruxjtwyd5.abctopayforwin[.]com - Page for decrypt instructions
• 80.78.251[.]161 port 80 - ayh2m57ruxjtwyd5.bcdthepaywayall[.]com - Page for decrypt instructions
• ayh2m57ruxjtwyd5.deballmoneypool[.]com - Domain for decrypt instructions that didn't resolve in DNS
• ayh2m57ruxjtwyd5.armnsoptionpay[.]com - Domain for decrypt instructions that didn't resolve in DNS

 

TRAFFIC:

• 2015-09-08 19:58:08 UTC - xrmfwlwt.deltasig[.]xyz:5909 - GET /2010/05/07/medical/equipment-tidings-double-snore-collapse-twin-loud-pursue-gradual-pleasure.html
• 2015-09-08 19:58:09 UTC - xrmfwlwt.deltasig[.]xyz:5909 - GET /northward/1769188/clasp-kindle-camera-altogether
• 2015-09-08 19:58:10 UTC - xrmfwlwt.deltasig[.]xyz:5909 - GET /tone/1151016/shoulder-source-perch-stern-rumble
• 2015-09-08 19:58:12 UTC - xrmfwlwt.deltasig[.]xyz:5909 - GET /once/eGxiZGZ3bw
• 2015-09-08 19:58:13 UTC - xrmfwlwt.deltasig[.]xyz:5909 - GET /fumble/herself-17781125
• 2015-09-08 19:58:18 UTC - ip-addr[.]es - GET /
• 2015-09-08 19:58:19 UTC - drsrusso[.]com - POST /mtqzpa/templates/ap4.php?r=k67c3fqr32xs
• 2015-09-08 19:58:22 UTC - drsrusso[.]com - POST /mtqzpa/templates/ap4.php?q=nvcp6inctn
• 2015-09-08 19:58:26 UTC - drsrusso[.]com - POST /mtqzpa/templates/ap4.php?e=9a1b2l8pik1
• 2015-09-08 19:58:38 UTC - drsrusso[.]com - POST /mtqzpa/templates/ap4.php?w=lk5102anfpz0bfw
• 2015-09-08 20:00:31 UTC - ayh2m57ruxjtwyd5.abctopayforwin[.]com - HTTP traffic when the user checked a decrypt page
• 2015-09-08 20:00:50 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall[.]com - HTTP traffic when the user checked a decrypt page
• 2015-09-08 20:01:10 UTC - DNS query for: ayh2m57ruxjtwyd5.deballmoneypool[.]com
• 2015-09-08 20:01:14 UTC - DNS query for: ayh2m57ruxjtwyd5.armnsoptionpay[.]com

 

Click here to return to the main page.