2015-12-14 - ANGLER EK FROM 51.255.131[.]66 SENDS CRYPTOWALL RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-12-14-Angler-EK-sends-CryptoWall-ransomware-traffic.pcap.zip   1.3 MB (1,287,835 bytes)
• 2015-12-14-files-from-Angler-EK-sends-CryptoWall-ransomware.zip   465.3 kB (465,318 bytes)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• adelaidescuba[.]com[.]au - Compromised website
• 51.255.131[.]66 port 80 - periodicalinestones.lucianmorsedmd[.]com - Angler EK
• 104.28.7[.]84 port 80 - beho.altervista[.]org - CryptoWall callback traffic
• 192.99.104[.]220 port 80 - baixaroucomprar[.]com - CryptoWall callback traffic
• 71.62.128[.]167 port 80 - basketballvideobwsl[.]net - CryptoWall callback traffic

 

TRAFFIC:

• 2015-12-14 21:55:25 UTC - adelaidescuba[.]com[.]au - GET /

• 2015-12-14 21:55:51 UTC - periodicalinestones.lucianmorsedmd[.]com - GET /forums/viewforum.php?f=5v&sid=jd.21028q7l47h92t3

• 2015-12-14 21:56:04 UTC - periodicalinestones.lucianmorsedmd[.]com - GET /possibility.php?part=&certain=Gr5wttra7_&cell=&shall=UAvEpz5sU&
  hour=jWrcyc&remove=e1iPPA&wish=XZqLa&influence=VHeRTk3BL&smile=nPa

• 2015-12-14 21:56:12 UTC - periodicalinestones.lucianmorsedmd[.]com - GET /heart.hyperesources?structure=fIkzUu7w_C&relation=&we=F86&
  next=&dog=c9lFGj&later=6Hr4c&patient=&after=mYeYWvDFsl&authority=cgr&beautiful=96ni_RCf3EK

• 2015-12-14 21:57:41 UTC - periodicalinestones.lucianmorsedmd[.]com - GET /side.wpp?buy=&gas=r1GIXWq-kX&permit=TyYbUeKqIS&until=&
  spring=TLsNEzmWOpLIH8DzvSlZRDoXYZ7L

• 2015-12-14 21:57:58 UTC - beho.altervista[.]org - POST /Detuk4.php?u=a2tz24q3goih8
• 2015-12-14 21:58:13 UTC - baixaroucomprar[.]com - POST /cNabw1.php?d=a2tz24q3goih8
• 2015-12-14 21:58:29 UTC - basketballvideobwsl[.]net - POST /jN3vUi.php?y=a2tz24q3goih8
• 2015-12-14 21:58:32 UTC - beho.altervista[.]org - POST /Detuk4.php?z=o8bg4h8fkb7
• 2015-12-14 21:58:45 UTC - baixaroucomprar[.]com - POST /cNabw1.php?k=o8bg4h8fkb7
• 2015-12-14 21:58:56 UTC - basketballvideobwsl[.]net - POST /jN3vUi.php?a=o8bg4h8fkb7
• 2015-12-14 21:59:22 UTC - beho.altervista[.]org - POST /Detuk4.php?f=pla1dd6qe58fv
• 2015-12-14 21:59:35 UTC - baixaroucomprar[.]com - POST /cNabw1.php?x=pla1dd6qe58fv
• 2015-12-14 21:59:48 UTC - basketballvideobwsl[.]net - POST /jN3vUi.php?f=pla1dd6qe58fv

 

IMAGES

Shown above:  Google search indicating the site is compromised.

 

Shown above:  Start of injected script in page from compromised website.

 

Shown above:  End of injected script in page from compromised website.

 

Shown above:  Pcap of the traffic filtered in Wireshark.

 

Shown above:  The infected user's Windows desktop after the infection.

 

Click here to return to the main page.