2016-02-03 - EITEST ANGLER EK SENDS HYDRACRYPT RANSOMWARE

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2016-02-03-EITest-Angler-EK-sends-HydraCrypt-traffic.pcap.zip   529.3 kB (529,304 bytes)
• ZIP archive of the malware and artifacts:  2016-02-03-EITest-Angler-EK-semds-HydraCrypt-malware-and-artifacts.zip   444.5 kB (444,466 bytes)

 

NOTES:

• More Angler EK from the EITest actor (more info here, here, here, and here).
• The payload is a new one on me.  Haven't run across "HydraCrypt" ransomware before.
• Anyone else seen this one?  The email address for the ransom payment reminds me of previous FileCoder/Troldesh ransomware.
• The logo is the same one used by Hydra, a fictional criminal organization in Marvel comics.

 

Shown above:  A Windows desktop after getting infected with HydraCrypt.

 

Shown above:  The image/window that appeared on the Windows desktop after the infection.

 

Shown above:  The instructions in a text file left on the infected Windows host.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 208.43.108.11 port 80 - www.harbourfrontcentre.com - Compromised website
• 85.93.0.32 port 80 - vyetbr.tk - EITest gate
• 86.106.93.66 port 80 - qywr2kr.spyscj.site - Angler EK
• 185.97.253.128 port 80 - drivers-softprotect.eu - HydraCrypt callback traffic

 

Shown above:  Traffic from the infection traffic filtered in Wireshark.

 

COMPROMISED WEBSITE AND EITEST GATE:

• 2016-02-03 20:02:08 UTC - www.harbourfrontcentre.com - GET /
• 2016-02-03 20:02:16 UTC - vyetbr.tk - GET /shop.php?sid=464DBCAD85B6331B75AE14BA37CD702909EE03F6E9E063361D274B880AA779EC95C
  51A383D2273E24C283D
• 2016-02-03 20:02:17 UTC - vyetbr.tk - GET /hot.php?id=464DBCAD85B6331B75AE14BA37CD702909EE03F6E9E063361D274B880AA779EC95C
  51A383D2273E24C283D

 

ANGLER EK:

• 2016-02-03 20:02:18 UTC - qywr2kr.spyscj.site - GET /boards/search.php?keywords=1uf23&fid0=1b62r07xs.84

• 2016-02-03 20:02:23 UTC - qywr2kr.spyscj.site - GET /leave.site?at=98VxjD&eye=&west=rXA&poet=&new=IA8-2Su&simple=&station=
  h6ODmarvJ¢ral=HMrF3wsYO&before=iEkhWJy&ten=&night=i2iGAgd

• 2016-02-03 20:03:10 UTC - qywr2kr.spyscj.site - GET /can.docmhtml?this=KXW&manager=fKlteL&father=s8Y9bGOrq&greater=a6k4yXP&hope=
  PoOdtJVN&place=oFO&political=5eM&south=hRmj24RoE

 

POST-INFECTION TRAFFIC:

• 2016-02-03 20:03:25 UTC - drivers-softprotect.eu - GET /flamme.php
• 2016-02-03 20:03:27 UTC - drivers-softprotect.eu - GET /img.jpg
• 2016-02-03 20:03:48 UTC - drivers-softprotect.eu - GET /flamme.php?ccc=hydra01_[removed]_me1ZULmyoeQHFaBJSg11G2lnm1MOpTCn4B4fP
  JP3ZGPUpr4HtHJxzakjeXtGc3z7qsESm8fkl3T0daZJrAhYKQTQfM4MNTLxYu1Ty6eaHFzb2dkI946mhH0hEQGhcizdO8hHTNuOJANPEB8nyvSQQr
  U4h_374__0x06,0x02,0x00,0x00,0x00,0x24,0x00,0x00,0x52,0x53,0x41,0x31,0x00,0x08,0x00,0x00,0x01,0x00,0x01,0x00,0x1d,0xd6,0x27,0x0b,
  0xef,0x83,0xab,0xc7,0xf2,0xb5,0x61,0x2f,0x07,0x18,0x93,0xa0,0xf4,0xd3,0x39,0x29,<br>0x72,0xa7,0x90,0x9f,0x3d,0xfe,0x93,0x96,0xba,0x6b,
  0xc1,0x4c,0xdf,0x64,0xda,0x19,0x25,0xfb,0x65,0x2b,0x2c,0xe7,0x5f,0x4f,0x8c,0x4b,0x56,0x32,0xbc,0x0a,0x91,0x1e,0x57,0x10,0xc8,0xc0,0x68,
  0x88,0xd3,0xe2,<br>0x78,0xbc,0x2d,0x54,0x38,0x32,0xd8,0x7f,0xc4,0xe8,0xfd,0xa2,0x95,0xd4,0x90,0xee,0xe5,0x81,0xc3,0x4d,0x16,0xb2,0x31,
  0xc7,0xf3,0xc1,0xaa,0x1d,0x0d,0x23,0xef,0xe1,0xbc,0x7c,0x43,0x3e,0x3c,0x9e,0x12,0x12,0xb6,0xf7,0x32,0x40,0xdc,0x43,0x79,0xad,0x56,0x66,
  0xbf,0xe9,0x91,0x33,0x4d,0x9f,0xe0,0xb3,0x34,0x0a,0x17,0x08,0xc2,0x33,0xcb,0xfd,0x9b,0x1d,0xbc,0x66,0xe8,0x7f,0x92,0x40,0x11,0x3f,0x28,
  0xfb,0xdf,0xfd,<br>0x7b,0x55,0x94,0x27,0x8e,0x10,0xa5,0xfb,0xe0,0xaa,0x67,0x29,0x8b,0x91,0x27,0x94,0x0b,0xf4,0x6f,0x13,0x34,0x21,0xf2,
  0x6a,0xb4,0x45,0x2a,0xeb,0x4a,0xfb,0x2b,0x62,0x05,0xe5,0x0a,0x32,0x7d,0xbf,0xca,0x63,0xb8,0x74,0x64,0x34,0xcd,0xec,0x72,0xbe,0xb2,0xfc,
  0xd1,0xe9,0x42,0x31,0x3e,0x29,0x58,0xf8,0x29,0x70,0x7e,0xe6,0x41,0x0c,0xbc,0x76,0xb9,0x9b,0xdd,0x5f,0xf2,0xc6,0x3f,0xb2,0x9e,0x97,0x71,
  0x84,0x3a,0xad,0xae,0x46,0xf4,0xe9,0xe3,0xa8,0x7f,0x22,0x58,0x09,0x72,0x39,0x0c,0x09,0x69,0x1a,0xd4,0x18,0xc2,0x98,0xf5,0x83,0x5b,0xee,
  0xed,0x3e,0x14,0x66,0x13,0x63,0x96,0x8e,0x0a,0x52,0xc4,0xb0

 

SNORT/SURICATA EVENTS

Significant signature hits from Suricata using the Emerging Threats Pro ruleset on Security Onion:

Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.8.0 on Debian 7:

 

PRELIMINARY MALWARE ANAYSIS

ANGLER EK MALWARE PAYLOAD (HYDRACRYPT):

File name:  2016-02-03-EITest-Angler-EK-payload-HydraCrypt.exe
File size:  164.0 KB ( 167,936 bytes )
MD5 hash:  08b304d01220f9de63244b4666621bba
SHA1 hash:  b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256 hash:  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Detection ratio:  1 / 53 (at the time of submission)
First submission:  2016-02-03 21:24:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e/analysis/
Malwr link:  https://malwr.com/analysis/MTNjMjFkOTgzZjYwNDM0YTgyY2UyNmE5MGNhMTA5YmU/

Shown above:  Encrypted files were renamed, ending with .hydracrypt_ID_[8 character string].

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2016-02-03-EITest-Angler-EK-sends-HydraCrypt-traffic.pcap.zip   529.3 kB (529,304 bytes)
• ZIP archive of the malware and artifacts:  2016-02-03-EITest-Angler-EK-semds-HydraCrypt-malware-and-artifacts.zip   444.5 kB (444,466 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.