2015-09-29 - ANGLER EK FROM 85.25.102.2 SENDS CRYPTOWALL 3.0
PCAP AND MALWARE:
- ZIP of the PCAP: 2015-09-29-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-29-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
NOTES:
- Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk
- Can't share the compromised website this time; however, the injected script from the comrpomised website looks different than we've seen before (way more obfuscated).
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 85.25.102.2 port 80 - fleyedlysheetlightning.arrisonsoccermanagement.com - Angler EK
- ip-addr.es - IP address check by CryptoWall 3.0
- 5.196.22.116 port 80 - enbuscade.org - CryptoWall 3.0 check in
- 66.96.160.134 port 80 - healthyairmasters.com - CryptoWall 3.0 check in
- 108.167.140.125 port 80 - waterdamagefortlauderdale.info - CryptoWall 3.0 check in
INFECTION TRAFFIC:
- 2015-09-29 18:02:45 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - GET /civis/viewtopic.php?t=2841&f=3.59119jql3zg24i6
- 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - GET /morning.lasso?datum=emyJ&read=&water=jPdykQBqx_&finger=
KqY_Dp5xz&image=RORd_32n&where=mlDXgledc&before=PE9Oozhn
- 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - POST /civis/boy.html?section=cThjo7YE3&soon=nXexCRfw&often=
QWW9uFNy&Congress=4-Y8&nor=ENfc0&permit=pVq8f8fhd&afternoon=_OiWv
- 2015-09-29 18:02:49 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - GET /morning.lasso?datum=emyJ&read=&water=jPdykQBqx_&finger=
KqY_Dp5xz&image=RORd_32n&where=mlDXgledc&before=PE9Oozhn
- 2015-09-29 18:02:53 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - GET /human.jspa?necessary=&anyone=VRP-NcO&announce=&husband=
EGMGDNYOj&interact=&state=x5AC&ride=&force=W64HO1&never=7V68xida&director=TpPce4U&way=B_kB539
- 2015-09-29 18:02:57 UTC - fleyedlysheetlightning.arrisonsoccermanagement.com - GET /division.asp?or=&because=epk¢er=&late=pWQ8_ixS86&
within=l_Xj&mean=RDPKqwa&sit=41x4RNjsUAk5CepXvyyOVLLT
POST-INFECTION TRAFFIC:
- 2015-09-29 18:02:58 UTC - ip-addr.es - GET /
- 2015-09-29 18:02:59 UTC - enbuscade.org - POST /documentos/2014/05/3.php?n=6q3ic0r9dhbc7p
- 2015-09-29 18:03:00 UTC - healthyairmasters.com - POST /Demo_Preliminar_helths/wc-logs/3.php?h=6q3ic0r9dhbc7p
- 2015-09-29 18:03:02 UTC - waterdamagefortlauderdale.info - POST /wp-content/cache/1.php?v=6q3ic0r9dhbc7p
- 2015-09-29 18:03:05 UTC - enbuscade.org - POST /documentos/2014/05/3.php?u=w1dwewim23umbv
- 2015-09-29 18:03:07 UTC - healthyairmasters.com - POST /Demo_Preliminar_helths/wc-logs/3.php?h=w1dwewim23umbv
- 2015-09-29 18:03:08 UTC - waterdamagefortlauderdale.info - POST /wp-content/cache/1.php?d=w1dwewim23umbv
- 2015-09-29 18:03:11 UTC - enbuscade.org - POST /documentos/2014/05/3.php?b=pj85z9h54ak0y5g
- 2015-09-29 18:03:12 UTC - healthyairmasters.com - POST /Demo_Preliminar_helths/wc-logs/3.php?z=pj85z9h54ak0y5g
- 2015-09-29 18:03:13 UTC - waterdamagefortlauderdale.info - POST /wp-content/cache/1.php?s=pj85z9h54ak0y5g
- 2015-09-29 18:03:21 UTC - enbuscade.org - POST /documentos/2014/05/3.php?h=5zn31596n476wy0
- 2015-09-29 18:03:23 UTC - healthyairmasters.com - POST /Demo_Preliminar_helths/wc-logs/3.php?c=5zn31596n476wy0
- 2015-09-29 18:03:23 UTC - waterdamagefortlauderdale.info - POST /wp-content/cache/1.php?o=5zn31596n476wy0
FINAL NOTES
Once again, here's the PCAP of the traffic and ZIP file of the malware:
- ZIP of the PCAP: 2015-09-29-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip
- ZIP file of the malware: 2015-09-29-Angler-EK-sends-CryptoWall-3.0-artifacts.zip
NOTE: All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.