Malware-Traffic-Analysis.net - 2016-01-27 - Angler EK from 185.49.68.132 sends CryptoWall

2016-01-27 - ANGLER EK FROM 185.49.68.132 SENDS CRYPTOWALL

PCAP AND MALWARE:

ZIP archive of the above PCAP: 2016-01-27-Angler-EK-sends-CryptoWall-traffic.pcap.zip 618.6 kB (618,631 bytes)
ZIP archive of the malware and artifacts: 2016-01-27-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip 552.7 kB (552,706 bytes)

CHAIN OF EVENTS

Shown above: A pcap of the traffic filtered in Wireshark showing the HTTP requests.

Shown above: Injected script in a page from the compromised website.

ASSOCIATED DOMAINS:

www.nachirobotics.com - Compromised website
185.49.68.132 port 80 - einschlugen-rechtsanwalt.elislote.es - Angler EK
154.41.66.18 port 80 - sowellness.be - CryptoWall post-infection traffic
92.240.253.3 port 80 - funzone-veza.sk - CryptoWall post-infection traffic
91.208.60.160 port 80 - ariixhouse.nl - CryptoWall post-infection traffic
154.41.66.18 port 80 - sowellness.be - CryptoWall post-infection traffic
195.210.46.14 port 80 - ecocity.kz - CryptoWall post-infection traffic
95.173.168.25 port 80 - tugay.com.tr - CryptoWall post-infection traffic
92.240.253.107 port 80 - vladoveverka.sk - CryptoWall post-infection traffic
103.235.104.96 port 80 - quadparticle.com - CryptoWall post-infection traffic

PRELIMINARY MALWARE ANALYSIS

ANGLER EK FLASH EXPLOIT:

File name: 2016-01-27-Angler-EK-flash-exploit.swf
File size: 129.2 KB ( 132,319 bytes )
MD5 hash: a874b781d3d0af0e5a652822944be983
SHA1 hash: cec90fac505e780ab0836837e369fb63b53759e2
SHA256 hash: 33bba1b73c606e9d58bd70aa9612d66f106865a5477482b3a86faf60146dee67
Detection ratio: 1 / 53
First submission: 2016-01-27 01:54:51 UTC
VirusTotal link: click here

MALWRE PAYLOAD (CRYPTOWALL):

File name: 2016-01-27-Angler-EK-payload-CryptoWall.exe
File size: 408.5 KB ( 418,304 bytes )
MD5 hash: dcce63ae6b7671f00e05a8090acfecb7
SHA1 hash: 102a735b291b53fd5cc0e7789b80eaceff31f194
SHA256 hash: 23e551a94dbf9583b352d5005b654ddf7255064d77bba38dbeb72c015a60ebdb
Detection ratio: 2 / 47
First submission: 2016-01-27 01:33:02 UTC
VirusTotal link: click here
Malwr link: click here

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the above PCAP: 2016-01-27-Angler-EK-sends-CryptoWall-traffic.pcap.zip 618.6 kB (618,631 bytes)
ZIP archive of the malware and artifacts: 2016-01-27-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip 552.7 kB (552,706 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.