2016-01-29 - ANGLER EK FROM 5.135.104.85 SENDS CRYPTOWALL

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2016-01-29-Angler-EK-delivers-CryptoWall-traffic.pcap.zip   1.2 MB (1,153,072 bytes)
• ZIP archive of the malware and artifacts:  2016-01-29-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip   463.3 kB (463,322 bytes)

 

TRAFFIC

INFECTION TRAFFIC:

• 27.121.64.183 port 80 - www.cavallinomotorsport.com - Compromised website
• 5.135.104.85 port 80 - carskiego-creamsoup.gymcrewacademy.com - Angler EK

 

IP ADDRESSES AND DOMAINS FOR CALLBACK TRAFFIC FROM CRYPTOWALL SAMPLE:

• 5.9.152.4 port 80 - wallpapersau.net
• 23.95.44.180 port 80 - dunwoodypress.com
• 23.239.20.126 port 80 - vancouverdispensarycoalition.ca
• 23.253.242.110 port 80 - liberal.com.mx
• 31.28.166.249 port 80 - itt-pushkino.org
• 46.28.105.79 port 80 - grafitti-photo.com
• 46.28.105.96 port 80 - daddysground.cz
• 46.30.212.115 port 80 - yardstickglobal.in
• 52.17.164.149 port 80 - t-firma-en.itech-websolutions.com
• 52.76.5.221 port 80 - itvsoft.asia
• 54.84.180.20 port 80 - calsalumni.iastate.edu.staging.sites.flyinghippo.com
• 62.210.148.123 port 80 - apptitudes.fr
• 65.254.47.82 port 80 - hatha.it
• 68.171.223.109 port 80 - igotocd.com
• 69.30.206.170 port 80 - apexminerals.com.au
• 70.32.114.99 port 80 - myteaminspired.com
• 74.50.31.127 port 80 - jjcampbell.com
• 77.236.98.174 port 80 - vinastudio.at
• 79.141.171.15 port 80 - neoad.de
• 79.143.190.57 port 80 - goldenangels.com.tr
• 81.17.254.72 port 80 - premierdisneyvilla.com
• 81.88.32.191 port 80 - emotionwerbung.de
• 81.88.35.222 port 80 - emotionwerbung.de
• 91.121.103.182 port 80 - conseils-finance.com
• 91.192.36.16 port 80 - bem-bakery.com
• 91.212.191.167 port 80 - pc.all-to-all.com
• 92.222.16.214 port 80 - international.woptimo.com
• 93.125.99.40 port 80 - hand-made.by
• 94.23.248.80 port 80 - bulksmsdealer.com
• 94.113.246.147 port 80 - behejbrno.com
• 94.156.77.8 port 80 - villisplace.info
• 101.2.169.10 port 80 - aspectdesigns.com.au
• 103.234.38.33 port 80 - giaohang.org
• 104.245.232.254 port 80 - acmm.org.au
• 104.28.0.24 port 80 - avazuinc.com
• 104.28.1.24 port 80 - avazuinc.com
• 104.28.30.51 port 80 - muel.altervista.org
• 104.28.31.51 port 80 - muel.altervista.org
• 107.170.239.172 port 80 - mangohills.net
• 107.178.108.52 port 80 - acie.edu.np
• 108.160.148.247 port 80 - directoryassistanceamerica.com
• 109.237.211.174 port 80 - macphoto.nl
• 112.78.4.229 port 80 - en.theolympiaschools.edu.vn
• 162.242.155.80 port 80 - empiredigitalmarketing.com
• 162.243.50.143 port 80 - jlprotect.ca
• 173.10.110.108 port 80 - stevesyachtrepair.com
• 178.32.72.112 port 80 - london-escorts-agency.org.uk
• 178.32.72.113 port 80 - event-travel.co.uk
• 178.33.159.131 port 80 - ifawindow.co.uk
• 184.170.245.75 port 80 - noahwilbanks.com
• 188.166.40.166 port 80 - thebesttshirtsonline.com
• 192.163.220.71 port 80 - edlenimaging.com
• 195.154.209.137 port 80 - indonesiandomains.com
• 195.154.209.137 port 80 - jadwalpialadunia.in
• 195.154.209.137 port 80 - taftee.in
• 195.154.209.137 port 80 - turbosol.asia
• 197.85.182.25 port 80 - telecom-sa.com
• 198.27.102.189 port 80 - thebeautythesis.com
• 199.217.118.196 port 80 - jogos.testeqi.com.br
• 200.68.105.19 port 80 - monicasalvador.com.ar
• 202.46.170.8 port 80 - larosa.com.au
• 203.170.80.250 port 80 - australianmotorinns.com
• 203.189.109.152 port 80 - dining-bar.com
• 205.234.198.60 port 80 - dolphinworld.org
• 206.72.195.44 port 80 - ihadthat.com
• 208.117.9.72 port 80 - morainecare.com
• 209.190.97.210 port 80 - acie.edu.np
• 212.71.250.78 port 80 - uzmankirala.com
• 216.97.235.60 port 80 - jameswbos.com
• 217.146.99.59 port 80 - zolty.eu
• 217.76.132.229 port 80 - kskillsmobility.eu
• 217.70.180.134 port 80 - dentiste-paris-20.fr
• 219.122.252.2 port 80 - campaignforyoungamerica.org

 

IMAGES

Shown above:  Today's pcap filtered in Wireshark.

 

Shown above:  Today's CryptoWall sample infecting a Windows desktop.

 

Shown above:  CryptoWall callback traffic when I tested the malware sample.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2016-01-29-Angler-EK-delivers-CryptoWall-traffic.pcap.zip   1.2 MB (1,153,072 bytes)
• ZIP archive of the malware and artifacts:  2016-01-29-Angler-EK-sends-CryptoWall-malware-and-artifacts.zip   463.3 kB (463,322 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.