2015-09-14 - ANGLER EK FROM 207.182.157.157 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-09-14-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:   2015-09-14-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was:  12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk

Shown above: Decrypt instructions from the CryptoWall sample

 

TRAFFIC

ASSOCIATED DOMAINS:

• 207.182.157.157 post 80 - pc2209.compasspointlaw.net - Angler EK
• ip-addr.es -IP address check by CryptoWall 3.0
• 50.62.245.1 post 80 - fan-out.com - CryptoWall 3.0 callback
• 80.78.251.161 post 80 - ayh2m57ruxjtwyd5.abctopayforwin.com - User checking a page for the decrypt instructions
• 80.78.251.161 post 80 - ayh2m57ruxjtwyd5.bcdthepaywayall.com - User checking a page for the decrypt instructions
• ayh2m57ruxjtwyd5.deballmoneypool.com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)
• ayh2m57ruxjtwyd5.armnsoptionpay.com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)

 

Shown above: Malicious script in compromised website pointing to Angler EK.

 

ANGLER EK:

• 2015-09-14 14:40:39 UTC - pc2209.compasspointlaw.net - GET /civis/viewtopic.php?t=8337b&f=bm8y6m.57101bh5

• 2015-09-14 14:40:42 UTC - pc2209.compasspointlaw.net - POST /civis/finish.jhtml?piece=MeFq5F9&normal=h3w5IUSeqz&defense=&end=_odPeQGa&
  kid=y7Kw16Mqn7&seem=&police=GA9Sy&effect=&authority=l1o&again=1Yqn&element=g

• 2015-09-14 14:40:42 UTC - pc2209.compasspointlaw.net - GET /special.ucf?principle=&among=s7mjdf&most=&page=zFJ7l9uQ2Q&strong=&name=KL3&
  and=It-&actually=1VS2FnX&family=j43-&rest=eyhh1vun0xX_D5O

• 2015-09-14 14:40:43 UTC - pc2209.compasspointlaw.net - GET /special.ucf?principle=&among=s7mjdf&most=&page=zFJ7l9uQ2Q&strong=&name=KL3&
  and=It-&actually=1VS2FnX&family=j43-&rest=eyhh1vun0xX_D5O

• 2015-09-14 14:40:47 UTC - pc2209.compasspointlaw.net - GET /national.wbxml?game=qxkriSs&enemy=kVr2&citizen=PvadD&once=DteoXU6D3&
  west=dP57Gx&strike=fJY7VgP&will=59Z&England=R6fgwXz

 

POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 PAYLOAD:

• 2015-09-14 14:40:51 UTC - ip-addr.es - GET /
• 2015-09-14 14:40:51 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?u=yy93aadkmg4jx
• 2015-09-14 14:40:54 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?n=1x9yml6g7180m7b
• 2015-09-14 14:40:57 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?q=bldwvn0dqlitnzf
• 2015-09-14 14:41:05 UTC - fan-out.com - POST /wp-includes/fonts/ap5.php?r=otc3fcma43sb

 

USER CLICKING ON THE LINKS FOR THE DECRYPT INSTRUCTIONS:

• 2015-09-14 14:41:22 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /[information removed]
• 2015-09-14 14:41:23 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/style.css
• 2015-09-14 14:41:23 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/us.png
• 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/it.png
• 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/fr.png
• 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/es.png
• 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/flags/de.png
• 2015-09-14 14:41:24 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /picture.php?k=[information removed]&765c899c15dc795a721f138d9b4a7552
• 2015-09-14 14:41:25 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/lt.png
• 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/rt.png
• 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/lb.png
• 2015-09-14 14:41:27 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/rb.png
• 2015-09-14 14:41:30 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /favicon.ico
• 2015-09-14 14:41:32 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - POST /[information removed]
• 2015-09-14 14:41:34 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/bitcoin.png
• 2015-09-14 14:41:34 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/button_pay.png
• 2015-09-14 14:41:45 UTC - ayh2m57ruxjtwyd5.abctopayforwin.com - GET /img/button_pay_sel.png
• 2015-09-14 14:44:00 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /removed
• 2015-09-14 14:44:02 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/style.css
• 2015-09-14 14:44:02 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/us.png
• 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/it.png
• 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/fr.png
• 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/es.png
• 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /picture.php?k=[information removed]&ddf8d7fb029d72e3666bc13c64ab2beb
• 2015-09-14 14:44:03 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/flags/de.png
• 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/rt.png
• 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/lt.png
• 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/rb.png
• 2015-09-14 14:44:05 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/lb.png
• 2015-09-14 14:44:08 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /favicon.ico
• 2015-09-14 14:44:17 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - POST /[information removed]
• 2015-09-14 14:44:19 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/bitcoin.png
• 2015-09-14 14:44:19 UTC - ayh2m57ruxjtwyd5.bcdthepaywayall.com - GET /img/button_pay.png
• 2015-09-14 14:44:26 UTC - DNS query for: ayh2m57ruxjtwyd5.deballmoneypool.com (DNS reply: No such name)
• 2015-09-14 14:44:30 UTC - DNS query for: ayh2m57ruxjtwyd5.armnsoptionpay.com (DNS reply: Server failure)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-09-14-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
• ZIP file of the malware:   2015-09-14-Angler-EK-sends-CryptoWall-3.0-artifacts.zip

NOTE:  All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.