2016-01-17 - ANGLER EK FROM 31.148.99.125 SENDS CRYPTOWALL
PCAP AND MALWARE:
- ZIP file of the above PCAP: 2016-01-17-Angler-EK-sends-CryptoWall-traffic.pcap.zip 678.4 kB (678,444 bytes)
- ZIP file of the malware and artifacts: 2016-01-17-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip 508.5 kB (508,522 bytes)
- TXT file of the Snort events: 2016-01-17-Angler-EK-sends-CryptoWall-snort-events.txt 4.6 kB (4,615 bytes)
- TXT file of the Suricata events: 2016-01-17-Angler-EK-sends-CryptoWall-suricata-events.txt 14.0 kB (13,994 bytes)
Shown above: Windows desktop after this CryptoWall infection.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 101.0.76.7 port 80 - www.rodbendingsworld.com - Compromised website
- 31.148.99.125 port 80 - lancharesrhymewis.blaylockwedding.com - Angler EK
- 50.63.184.249 port 80 - post409.org - CryptoWall callback traffic
ADDITIONAL CRYPTOWALL DOMAINS FROM MALWR.COM ANALYSIS:
- 125.214.74.70 port 80 - gjscomputerservices.com.au
- 195.93.153.7 port 80 - aglobal.kz
- 66.71.129.2 port 80 - obiettivoalluminio.it
- 185.68.16.13 port 80 - ilovesport.kiev.ua
- apbinary.tk - [did not resolve in DNS]
DOMAINS FROM THIS CRYPTOWALL SAMPLE'S DECRYPT INSTRUCTIONS:
- 3wzn5p2yiumh7akj.waytopaytosystem.com
- 3wzn5p2yiumh7akj.malkintop100.com
- 3wzn5p2yiumh7akj.belladonnamonna.com
- 3wzn5p2yiumh7akj.hiltonpaytoo.com
COMPROMISED WEBSITE:
Shown above: Injected script in page from compromised website.
- 2016-01-17 21:25:43 UTC - www.rodbendingsworld.com - GET /
Angler EK:
- 2016-01-17 21:25:51 UTC - lancharesrhymewis.blaylockwedding.com - GET /forums/search.php?keywords=28&fid0=7yl24915148qs3455992q6.7
- 2016-01-17 21:26:06 UTC - lancharesrhymewis.blaylockwedding.com - GET /Mister.wbxml?where=&press=EULn-&dead=ccPG81&across=7i9&pick=
BEmUeSBA&glass=&condition=nngpFzsQ-lXTjo0xcnv8LFb8fQ
- 2016-01-17 21:26:06 UTC - lancharesrhymewis.blaylockwedding.com - POST /forums/people.wsdl?hundred=MUDvBDmQ&Mister=&fear=NWv2&county=
hphJsaZ8kIcgwwTFTPP90VmCaVZ95Mg02eAv
- 2016-01-17 21:26:17 UTC - lancharesrhymewis.blaylockwedding.com - GET /Mister.wbxml?where=&press=EULn-&dead=ccPG81&across=7i9&pick=
BEmUeSBA&glass=&condition=nngpFzsQ-lXTjo0xcnv8LFb8fQ
- 2016-01-17 21:26:34 UTC - lancharesrhymewis.blaylockwedding.com - POST /free.jss?sit=UApbJxpRx3&it=Hn0X7-4X&world=7Nkcrg&in=J4a4oIEuQ&total=
NwPEQ3r0YSps77f
- 2016-01-17 21:27:00 UTC - lancharesrhymewis.blaylockwedding.com - GET /police.jsf?she=Lggj&case=&experience=k_uKQ&source=&recently=
kDw8LP3J92&black=&tell=YX1Soe8tYA2eQMvWVSW0tkZbLR-iZ
POST-INFECTION TRAFFIC:
- 2016-01-17 21:28:18 UTC - post409.org - POST /8UmXhY.php?r=9svmk5u9qe7l2
- 2016-01-17 21:28:23 UTC - post409.org - POST /8UmXhY.php?d=0352z5ryuj
- 2016-01-17 21:28:45 UTC - post409.org - POST /8UmXhY.php?t=8w9aq22o63dkjr7
SNORT EVENTS
Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):
- 101.0.76.7 port 80 - ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5 (sid:2022290)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Landing URI Struct Jul 15 M1 T1 (sid:2811993)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing URI Struct Oct 12 (sid:2814318)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing June 16 2015 M5 (sid:2811641)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing/RIG EK Landing Dec 23 2015 Common Construct (sid:2815452)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing Jan 12 2015 M1 (sid:2815727)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing Nov 27 2015 M2 (sid:2815123)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit (IE) Jun 16 M1 T2 (sid:2811829)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015 M1 (sid:2811526)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2 (sid:2811284)
- 31.148.99.125 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2 (sid:2811529)
- 31.148.99.125 port 80 - ET CURRENT_EVENTS Angler encrypted payload Nov 23 (1) (sid:2022138)
- 50.63.184.249 port 80 - ET TROJAN CryptoWall Check-in (sid:2018452)
Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.8.0 on Debian 7:
- 31.148.99.125 port 80 - [1:36635:3] EXPLOIT-KIT Angler exploit kit search uri request attempt
- 31.148.99.125 port 80 - [1:37014:1] EXPLOIT-KIT Angler exploit kit landing page detected
- 50.63.184.249 port 80 - [1:34318:4] MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2016-01-17-Angler-EK-flash-exploit.swf
File size: 127.0 KB ( 130068 bytes )
MD5 hash: 946d794afc8cb0e8d597180bcf3ae720
SHA1 hash: 2cf84c3ddd400d4acb54214269addb0c8ac58b2c
SHA256 hash: 35a24b00f94125a25279791159059a9bc768e9b4bdea8b71960f82dc117e4aea
Detection ratio: 2 / 54
First submission: 2016-01-18 16:23:19 UTC
VirusTotal link: click here
MALWARE PAYLOAD:
File name: 2016-01-17-Angler-EK-payload-CryptoWall.exe
File size: 460.5 KB ( 471552 bytes )
MD5 hash: 58006b9382d532f82535454e78c8ad7c
SHA1 hash: c399026473b23a211208a13224029f710458255e
SHA256 hash: 99990573b7c92062663438575d431c5823252a1c523ba9977c2a236ad2484a1e
Detection ratio: 10 / 53
First submission: 2016-01-18 03:19:24 UTC
VirusTotal link: click here
Malwr link: click here [ pcap here ]
Hybrid-Analysis link: click here
FINAL NOTES
Once again, here are the associated files:
- ZIP file of the above PCAP: 2016-01-17-Angler-EK-sends-CryptoWall-traffic.pcap.zip 678.4 kB (678,444 bytes)
- ZIP file of the malware and artifacts: 2016-01-17-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip 508.5 kB (508,522 bytes)
- TXT file of the Snort events: 2016-01-17-Angler-EK-sends-CryptoWall-snort-events.txt 4.6 kB (4,615 bytes)
- TXT file of the Suricata events: 2016-01-17-Angler-EK-sends-CryptoWall-suricata-events.txt 14.0 kB (13,994 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.