2015-12-21 - ANGLER EK SENDS CRYPTOWALL

ASSOCIATED FILES:

• ZIP archive of all three runs:  2015-12-21-Angler-EK-sends-CryptoWall-traffic-all-3-examples.zip   3.6 MB (3,607,670 bytes)
• ZIP archive of the malware:  2015-12-21-Angler-EK-malware-and-artifacts.zip   743.6 kB (743,642 bytes)

 

NOTES:

• Didn't get a copy of the CryptoWall from the first two infections.  Was able to grab a copy from the last infection.
• There was two different sets of injected code in pages from the compromised site.  One led to a gate at beladonna33.ga but didn't go any further.
• The other went to Angler exploit kit (EK) and delivered CryptoWall (the "4.0" version that's everywhere now).

 

CHAIN OF EVENTS

• 50.63.97.1 port 80 - reneesdestinyproductions.com - compromised website
• 141.8.224.221 port 80 - beladonna33.ga - Gate to another EK (no follow-through to any EK)

• 109.248.250.145 port 80 - sviteresdisneylite.tyleraccountingservice.com - Angler EK (first example)
• 216.246.23.115 port 80 - ausbrecherkoenig.paintingparcels.com - Angler EK (second example)
• 216.246.23.115 port 80 - preterritorial.unitedstrainsofamerica.org - Angler EK (third example)

• 192.99.104.220 port 80 - baixaroucomprar.com - CryptoWall callback traffic (first example)
• 89.161.169.92 port 80 - arcadia-meble.pl - CryptoWall callback traffic (first example)
• 91.226.22.151 port 80 - balustradydrewniane.pl - CryptoWall callback traffic (first example)

• 81.169.145.156 port 80 - autohaus-iffland.com - CryptoWall callback traffic (second example)
• 89.31.143.101 port 80 - cafe-being.com - CryptoWall callback traffic (second example)
• 74.117.159.140 port 80 - biodieseltimes.com - CryptoWall callback traffic (second example)

• 192.99.104.220 port 80 - baixaroucomprar.com - CryptoWall callback traffic (third example)
• 144.76.100.71 port 80 - autogas-krombach.de - CryptoWall callback traffic (third example)
• 64.207.146.127 port 80 - allstarpaintbody.com - CryptoWall callback traffic (third example)
• 79.96.45.27 port 80 - ample-sun.eu - CryptoWall callback traffic (third example)
• 195.93.153.8 port 80 - bestex.kz - CryptoWall callback traffic (third example)
• 104.28.6.12 port 80 - blog.hairconstruction.co - CryptoWall callback traffic (third example)
• 159.253.47.98 port 80 - ayvalikdental.com - CryptoWall callback traffic (third example)
• 109.70.26.37 port 80 - beautyandblings.com - CryptoWall callback traffic (third example)
• 212.91.26.153 port 80 - ceramikazamkowa.pl - CryptoWall callback traffic (third example)

 

TRAFFIC - FIRST EXAMPLE:

• 2015-12-21 15:30:23 UTC - reneesdestinyproductions.com - GET /

• 2015-12-21 15:30:31 UTC - beladonna33.ga - GET /052F

• 2015-12-21 15:30:40 UTC - sviteresdisneylite.tyleraccountingservice.com - GET /forums/index.php?PHPSESSID=8.2fm&action=322158mp397r159k8w5

• 2015-12-21 15:30:44 UTC - sviteresdisneylite.tyleraccountingservice.com - GET /once.docmhtml?French=wKcqV&rather=SgSh1r&serious=DVot&student=
  Ap8fQQtbmH&radio=&sale=cmWDYX_2aw&school=KCkWU&water=jo7BB&permit=zj9

• 2015-12-21 15:30:46 UTC - sviteresdisneylite.tyleraccountingservice.com - GET /same.asmx?apply=&able=iYw&add=h8i4kiQB&later=BP06HlY4nS&no=
  K4vA_zDAt&nearly=Etr-iC&lead=uEf&along=9No8Hc&face=e24

• 2015-12-21 15:30:56 UTC - sviteresdisneylite.tyleraccountingservice.com - GET /enemy.htx?stock=&finally=GTE2kLi1V&light=vjqox5r-&she=
  06hQ5VN&wall=jfhECredtHC9bohQV8C8V5mc

• 2015-12-21 15:31:12 UTC - baixaroucomprar.com - POST /cNabw1.php?h=ie2rgoq86uybj2
• 2015-12-21 15:31:23 UTC - subjective.ml - POST /0FeLA2.php?u=ie2rgoq86uybj2
• 2015-12-21 15:31:33 UTC - arcadia-meble.pl - POST /Q0bAHK.php?s=ie2rgoq86uybj2
• 2015-12-21 15:31:44 UTC - balustradydrewniane.pl - POST /6Ejz4Y.php?u=ie2rgoq86uybj2
• 2015-12-21 15:31:46 UTC - baixaroucomprar.com - POST /cNabw1.php?c=5w6a27p4yygt
• 2015-12-21 15:31:57 UTC - subjective.ml - POST /0FeLA2.php?d=5w6a27p4yygt
• 2015-12-21 15:32:07 UTC - arcadia-meble.pl - POST /Q0bAHK.php?g=5w6a27p4yygt
• 2015-12-21 15:32:18 UTC - balustradydrewniane.pl - POST /6Ejz4Y.php?o=5w6a27p4yygt
• 2015-12-21 15:32:27 UTC - baixaroucomprar.com - POST /cNabw1.php?d=ut6bx02uy35g
• 2015-12-21 15:32:37 UTC - subjective.ml - POST /0FeLA2.php?b=ut6bx02uy35g
• 2015-12-21 15:32:48 UTC - arcadia-meble.pl - POST /Q0bAHK.php?k=ut6bx02uy35g
• 2015-12-21 15:32:59 UTC - balustradydrewniane.pl - POST /6Ejz4Y.php?t=ut6bx02uy35g

 

TRAFFIC - SECOND EXAMPLE:

• 2015-12-21 19:04:24 UTC - reneesdestinyproductions.com - GET /

• 2015-12-21 19:04:32 UTC - beladonna33.ga - GET /052F

• 2015-12-21 19:04:31 UTC - ausbrecherkoenig.paintingparcels.com - GET /civis/index.php?PHPSESSID=98j05&action=.sg0991w1361k1

• 2015-12-21 19:04:36 UTC - ausbrecherkoenig.paintingparcels.com - GET /structure.cha?glass=&technical=jJp9jj0l_&hot=Uw3&importance=&these=
  FkG0m0I&stay=&compare=a_n9K&red=a16KXcHbq2wlbxgYS1KyaRmQ

• 2015-12-21 19:04:38 UTC - ausbrecherkoenig.paintingparcels.com - GET /technical.wpx?reach=&no=RRID2Lm-5Y&image=6VV_k&social=
  mSaGWWw&information=2NH-GKJ&wait=&such=kfOm&family=&member=h7cMKMG&plant=Q0i&however=Xcyne

• 2015-12-21 19:04:46 UTC - ausbrecherkoenig.paintingparcels.com - GET /hundred.cshtml?big=&need=PEG&various=IIkfb2uw3&whether=
  &labor=aPtzFdR&wear=&cause=vYp7IGtsel&world=XBWYeph8oWnuo5ufbXM

• 2015-12-21 19:05:09 UTC - autohaus-iffland.com - POST /1G7MQi.php?u=59m2a9z4mssb7m
• 2015-12-21 19:05:19 UTC - cafe-being.com - POST /G5JmvW.php?i=59m2a9z4mssb7m
• 2015-12-21 19:05:31 UTC - biodieseltimes.com - POST /5X1Wb3.php?y=59m2a9z4mssb7m
• 2015-12-21 19:05:33 UTC - autohaus-iffland.com - POST /1G7MQi.php?t=gzt35e60rl3d
• 2015-12-21 19:05:44 UTC - cafe-being.com - POST /G5JmvW.php?v=gzt35e60rl3d
• 2015-12-21 19:05:54 UTC - biodieseltimes.com - POST /5X1Wb3.php?s=gzt35e60rl3d
• 2015-12-21 19:06:02 UTC - autohaus-iffland.com - POST /1G7MQi.php?v=c4sy4jac1j333
• 2015-12-21 19:06:14 UTC - cafe-being.com - POST /G5JmvW.php?c=c4sy4jac1j333
• 2015-12-21 19:06:24 UTC - biodieseltimes.com - POST /5X1Wb3.php?e=c4sy4jac1j333

 

TRAFFIC - THIRD EXAMPLE:

• 2015-12-21 20:58:05 UTC - reneesdestinyproductions.com - GET /

• 2015-12-21 20:58:14 UTC - beladonna33.ga - GET /052F

• 2015-12-21 20:58:12 UTC - preterritorial.unitedstrainsofamerica.org - GET /forums/index.php?PHPSESSID=34&action=i996z2bj797uh.o8

• 2015-12-21 20:58:17 UTC - preterritorial.unitedstrainsofamerica.org - POST /forums/speak.ap?bed=Ppk&of=BHr&third=oW0UJ8go6&cover=
  19GJIc4k&himself=vu6&between=yyTu®ion=QWg&relate=cf1VLVvjo0&girl=BMT&rest=mn

• 2015-12-21 20:58:17 UTC - preterritorial.unitedstrainsofamerica.org - GET /about.csp?anything=&information=EXIurrPW&at=BGSqM&over=
  fM030rC7&treatment=rXpCTnrM&space=J4X7D0MP9rodehUYtVi

• 2015-12-21 20:58:17 UTC - preterritorial.unitedstrainsofamerica.org - GET /about.csp?anything=&information=EXIurrPW&at=BGSqM&over=
  fM030rC7&treatment=rXpCTnrM&space=J4X7D0MP9rodehUYtVi

• 2015-12-21 20:58:20 UTC - preterritorial.unitedstrainsofamerica.org - GET /likely.iwdgt?early=wIGS&election=&indeed=YMYX&though=&letter=
  ML3n-6sdcA&piece=&date=iDz&single=WIP&through=&affair=b2-oZ&talk=gNoBoxn0X&learn=S1l0gK5ppq

• 2015-12-21 20:58:34 UTC - preterritorial.unitedstrainsofamerica.org - POST /forget.cpg?saint=YHcmHuV9sO&fact=YOAW7tWX&force=j8b&well=
  VWQ842Go&economic=kMx&let=QlEXOA&pay=WikIsH0bn&like=F

• 2015-12-21 20:58:44 UTC - preterritorial.unitedstrainsofamerica.org - GET /design.cpg?instead=16dm&office=drx7uZcbV&feed=Zi4&fill=
  Ng79Wh0vdJ&consider=ZTf&car=0_m&easy=Axa1-a1jV1&alone=WyYrv&certainly=o

• 2015-12-21 20:58:50 UTC - baixaroucomprar.com - POST /cNabw1.php?g=uac6nj15hz5
• 2015-12-21 20:59:01 UTC - autogas-krombach.de - POST /F74yDk.php?i=uac6nj15hz5
• 2015-12-21 20:59:12 UTC - allstarpaintbody.com - POST /lrQ2bG.php?r=uac6nj15hz5
• 2015-12-21 20:59:14 UTC - baixaroucomprar.com - POST /cNabw1.php?w=b08033fdhgkjav3
• 2015-12-21 20:59:25 UTC - autogas-krombach.de - POST /F74yDk.php?v=b08033fdhgkjav3
• 2015-12-21 20:59:36 UTC - allstarpaintbody.com - POST /lrQ2bG.php?d=b08033fdhgkjav3
• 2015-12-21 20:59:45 UTC - baixaroucomprar.com - POST /cNabw1.php?o=pl418ylez9ryup
• 2015-12-21 20:59:56 UTC - autogas-krombach.de - POST /F74yDk.php?u=pl418ylez9ryup
• 2015-12-21 21:00:07 UTC - allstarpaintbody.com - POST /lrQ2bG.php?f=pl418ylez9ryup
• 2015-12-21 21:00:27 UTC - ample-sun.eu - POST /4BKEt7.php?o=pl418ylez9ryup
• 2015-12-21 21:00:38 UTC - bestex.kz - POST /Ov8_qV.php?r=pl418ylez9ryup
• 2015-12-21 21:00:49 UTC - blog.hairconstruction.co - POST /GFrT6o.php?c=pl418ylez9ryup
• 2015-12-21 21:01:03 UTC - ayvalikdental.com - POST /GMu28q.php?n=pl418ylez9ryup
• 2015-12-21 21:01:13 UTC - beautyandblings.com - POST /RWH6sC.php?p=pl418ylez9ryup
• 2015-12-21 21:01:24 UTC - ceramikazamkowa.pl - POST /WGr_xJ.php?p=pl418ylez9ryup

 

SCREENSHOTS

Shown above:  Start of first malicious code in page from compromised site that led to Angler EK.

 

Shown above:  End of first malicious code in page from compromised site that led to Angler EK.

 

Shown above:  Start of second malicious code in page from compromised site that led to beladonna33.ga/052F gate.

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP archive of all three runs:  2015-12-21-Angler-EK-sends-CryptoWall-traffic-all-3-examples.zip   3.6 MB (3,607,670 bytes)
• ZIP archive of the malware:  2015-12-21-Angler-EK-malware-and-artifacts.zip   743.6 kB (743,642 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.