2015-11-20 - ANGLER EK FROM 209.133.203.204 SENDS CRYPTOWALL 3.0

ASSOCIATED FILES:

• ZIP archive of the PCAP:  2015-11-20-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip   939.2 kB (939,203 bytes)
• ZIP archive of the malware:  2015-11-20-Angler-EK-sends-CryptoWall-3.0-artifacts-and-malware.zip   277.7 kB (277,749 bytes)

 

TRAFFIC

ASSOCIATED DOMAINS:

• 209.133.203.204 port 80 - merkkivuonnaandefluiate.fishingtower.com - Angler EK
• ip-addr.es - IP address check by the malware
• 46.30.212.60 port 80 - adeolamedia.com - CryptoWall post-infection callback
• 46.30.212.119 port 80 - autonomenab.se - CryptoWall post-infection callback
• ayh2m57ruxjtwyd5.abctopayforwin.com - Page that appeared when user went to the decrypt instructions
• ayh2m57ruxjtwyd5.bcdthepaywayall.com - Page that appeared when user went to the decrypt instructions
• ayh2m57ruxjtwyd5.deballmoneypool.com - Doesn't resolve in DNS
• ayh2m57ruxjtwyd5.armnsoptionpay.com - Page from hosting provider

 

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2015-11-20-Angler-EK-sends-CryptoWall-3.0-traffic.pcap.zip   939.2 kB (939,203 bytes)
• ZIP archive of the malware:  2015-11-20-Angler-EK-sends-CryptoWall-3.0-artifacts-and-malware.zip   277.7 kB (277,749 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.