2015-09-14 - ANGLER EK FROM 207.182.157.157 SENDS CRYPTOWALL 3.0
PCAP AND MALWARE:
- ZIP of the PCAP: 2015-09-14-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-14-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
NOTES:
- Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk
Shown above: Decrypt instructions from the CryptoWall sample
TRAFFIC
ASSOCIATED DOMAINS:
- 207.182.157.157 post 80 - pc2209.compasspointlaw.net - Angler EK
- ip-addr.es -IP address check by CryptoWall 3.0
- 50.62.245.1 post 80 - fan-out.com - CryptoWall 3.0 callback
- 80.78.251.161 post 80 - ayh2m57ruxjtwyd5.abctopayforwin.com - User checking a page for the decrypt instructions
- 80.78.251.161 post 80 - ayh2m57ruxjtwyd5.bcdthepaywayall.com - User checking a page for the decrypt instructions
- ayh2m57ruxjtwyd5.deballmoneypool.com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)
- ayh2m57ruxjtwyd5.armnsoptionpay.com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)
Shown above: Malicious script in compromised website pointing to Angler EK.
ANGLER EK:
- 2015-09-14 14:40:39 UTC - pc2209.compasspointlaw.net - GET /civis/viewtopic.php?t=8337b&f=bm8y6m.57101bh5
- 2015-09-14 14:40:42 UTC - pc2209.compasspointlaw.net - POST /civis/finish.jhtml?piece=MeFq5F9&normal=h3w5IUSeqz&defense=&end=_odPeQGa&
kid=y7Kw16Mqn7&seem=&police=GA9Sy&effect=&authority=l1o&again=1Yqn&element=g
- 2015-09-14 14:40:42 UTC - pc2209.compasspointlaw.net - GET /special.ucf?principle=&among=s7mjdf&most=&page=zFJ7l9uQ2Q&strong=&name=KL3&
and=It-&actually=1VS2FnX&family=j43-&rest=eyhh1vun0xX_D5O
- 2015-09-14 14:40:43 UTC - pc2209.compasspointlaw.net - GET /special.ucf?principle=&among=s7mjdf&most=&page=zFJ7l9uQ2Q&strong=&name=KL3&
and=It-&actually=1VS2FnX&family=j43-&rest=eyhh1vun0xX_D5O
- 2015-09-14 14:40:47 UTC - pc2209.compasspointlaw.net - GET /national.wbxml?game=qxkriSs&enemy=kVr2&citizen=PvadD&once=DteoXU6D3&
west=dP57Gx&strike=fJY7VgP&will=59Z&England=R6fgwXz
POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 PAYLOAD:
- 2015-09-14 14:40:51 UTC - ip-addr.es - GET /
- 2015-09-14 14:40:51 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?u=yy93aadkmg4jx
- 2015-09-14 14:40:54 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?n=1x9yml6g7180m7b
- 2015-09-14 14:40:57 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?q=bldwvn0dqlitnzf
- 2015-09-14 14:41:05 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?r=otc3fcma43sb
USER CLICKING ON THE LINKS FOR THE DECRYPT INSTRUCTIONS:
- 2015-09-14 14:41:22 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /[information removed]
- 2015-09-14 14:41:23 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/style.css
- 2015-09-14 14:41:23 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/us.png
- 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/it.png
- 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/fr.png
- 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/es.png
- 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/de.png
- 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /picture.php?k=[information removed]&765c899c15dc795a721f138d9b4a7552
- 2015-09-14 14:41:25 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/lt.png
- 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/rt.png
- 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/lb.png
- 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/rb.png
- 2015-09-14 14:41:30 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /favicon.ico
- 2015-09-14 14:41:32 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - POST /[information removed]
- 2015-09-14 14:41:34 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/bitcoin.png
- 2015-09-14 14:41:34 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/button_pay.png
- 2015-09-14 14:41:45 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/button_pay_sel.png
- 2015-09-14 14:44:00 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /removed
- 2015-09-14 14:44:02 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/style.css
- 2015-09-14 14:44:02 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/us.png
- 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/it.png
- 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/fr.png
- 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/es.png
- 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /picture.php?k=[information removed]&ddf8d7fb029d72e3666bc13c64ab2beb
- 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/de.png
- 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/rt.png
- 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/lt.png
- 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/rb.png
- 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/lb.png
- 2015-09-14 14:44:08 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /favicon.ico
- 2015-09-14 14:44:17 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - POST /[information removed]
- 2015-09-14 14:44:19 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/bitcoin.png
- 2015-09-14 14:44:19 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/button_pay.png
- 2015-09-14 14:44:26 UTC - DNS query for: ayh2m57ruxjtwyd5.deballmoneypool.com (DNS reply: No such name)
- 2015-09-14 14:44:30 UTC - DNS query for: ayh2m57ruxjtwyd5.armnsoptionpay.com (DNS reply: Server failure)
FINAL NOTES
Once again, here are the associated files:
- ZIP of the PCAP: 2015-09-14-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-14-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
NOTE: All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.