2015-12-14 - ANGLER EK FROM 51.255.131.66 SENDS CRYPTOWALL

ASSOCIATED FILES:

• ZIP archive of the PCAP:  2015-12-14-Angler-EK-sends-CryptoWall-traffic.pcap.zip   1.3 MB (1,287,813 bytes)
• ZIP archive of the malware:  2015-12-14-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip   464.2 kB (464,208 bytes)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• adelaidescuba.com.au - Compromised website
• 51.255.131.66 port 80 - periodicalinestones.lucianmorsedmd.com - Angler EK
• 104.28.7.84 port 80 - beho.altervista.org - CryptoWall callback traffic
• 192.99.104.220 port 80 - baixaroucomprar.com - CryptoWall callback traffic
• 71.62.128.167 port 80 - basketballvideobwsl.net - CryptoWall callback traffic

 

TRAFFIC:

• 2015-12-14 21:55:25 UTC - adelaidescuba.com.au - GET /

• 2015-12-14 21:55:51 UTC - periodicalinestones.lucianmorsedmd.com - GET /forums/viewforum.php?f=5v&sid=jd.21028q7l47h92t3

• 2015-12-14 21:56:04 UTC - periodicalinestones.lucianmorsedmd.com - GET /possibility.php?part=&certain=Gr5wttra7_&cell=&shall=UAvEpz5sU&
  hour=jWrcyc&remove=e1iPPA&wish=XZqLa&influence=VHeRTk3BL&smile=nPa

• 2015-12-14 21:56:12 UTC - periodicalinestones.lucianmorsedmd.com - GET /heart.hyperesources?structure=fIkzUu7w_C&relation=&we=F86&
  next=&dog=c9lFGj&later=6Hr4c&patient=&after=mYeYWvDFsl&authority=cgr&beautiful=96ni_RCf3EK

• 2015-12-14 21:57:41 UTC - periodicalinestones.lucianmorsedmd.com - GET /side.wpp?buy=&gas=r1GIXWq-kX&permit=TyYbUeKqIS&until=&
  spring=TLsNEzmWOpLIH8DzvSlZRDoXYZ7L

• 2015-12-14 21:57:58 UTC - beho.altervista.org - POST /Detuk4.php?u=a2tz24q3goih8
• 2015-12-14 21:58:13 UTC - baixaroucomprar.com - POST /cNabw1.php?d=a2tz24q3goih8
• 2015-12-14 21:58:29 UTC - basketballvideobwsl.net - POST /jN3vUi.php?y=a2tz24q3goih8
• 2015-12-14 21:58:32 UTC - beho.altervista.org - POST /Detuk4.php?z=o8bg4h8fkb7
• 2015-12-14 21:58:45 UTC - baixaroucomprar.com - POST /cNabw1.php?k=o8bg4h8fkb7
• 2015-12-14 21:58:56 UTC - basketballvideobwsl.net - POST /jN3vUi.php?a=o8bg4h8fkb7
• 2015-12-14 21:59:22 UTC - beho.altervista.org - POST /Detuk4.php?f=pla1dd6qe58fv
• 2015-12-14 21:59:35 UTC - baixaroucomprar.com - POST /cNabw1.php?x=pla1dd6qe58fv
• 2015-12-14 21:59:48 UTC - basketballvideobwsl.net - POST /jN3vUi.php?f=pla1dd6qe58fv

 

IMAGES

Shown above:  Google search indicating the site is compromised.

 

Shown above:  Start of injected script in page from compromised website.

 

Shown above:  End of injected script in page from compromised website.

 

Shown above:  Pcap of the traffic filtered in Wireshark.

 

Shown above:  The infected user's Windows desktop after the infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2015-12-14-Angler-EK-sends-CryptoWall-traffic.pcap.zip   1.3 MB (1,287,813 bytes)
• ZIP archive of the malware:  2015-12-14-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip   464.2 kB (464,208 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.