Malware-Traffic-Analysis.net - 2015-06-16 - Angler EK from 46.4.235[.]1 sends CryptoWall 3.0 ransomware

2015-06-16 - ANGLER EK FROM 46.4.235[.]1 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES:

More CryptoWall 3.0 ransomware sent from Angler exploit kit (EK) using one of the same bitcoin addresses for ransom payment that we've seen before.
Bitcoin address for ransom payment was: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB
It seems Angler EK has been tweaking its URL patterns quite frequently--on a near daily basis--probably to avoid detection by intrusion detection systems (IDS).
Current URL patterns for Angler don't match ones that we saw a week or two ago.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

46.4.235[.]1 port 80 - ffiledirausgewertetem.dansfemdomlinks[.]com - Angler EK
50.63.102[.]1 port 80 - afriqinter[.]com - CryptoWall 3.0 ransomware checkin
95.163.121[.]36 port 80 - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - Retrieving CryptoWall 3.0 ransomware decrypt instructions
7oqnsnzwwnm6zb7y.paytwinkgirls[.]com - Another domain from the decrypt instructions
7oqnsnzwwnm6zb7y.paybullionbb[.]com - Another domain from the decrypt instructions
7oqnsnzwwnm6zb7y.paybonymans[.]com - Another domain from the decrypt instructions

ANGLER EK:

2015-06-16 21:11:40 UTC - ffiledirausgewertetem.dansfemdomlinks[.]com - GET /search?og3=uq1ig-ub&qsea=tw0pe&y2p=ywmtm-boz&ik=3l1356-yeu&
fxz=wy6-cjp8uh&9vj15=qe&id=_wg16u

2015-06-16 21:11:42 UTC - ffiledirausgewertetem.dansfemdomlinks[.]com - GET /interact.an?move=&purpose=fQ7ng50ZT&street=_Dngfw&gas=6Mx\254=nV1l&
relationship=4SHM-X9&already=SAM&social=&keep=k_x&since=8lpQQqHr&hand=d1Ebu

2015-06-16 21:11:45 UTC - ffiledirausgewertetem.dansfemdomlinks[.]com - GET /learn.jsf?air=fWpsVmK&turn=I-Cj&method=3_Tfw&social=-hv-cWDV&
research=1lOvWfYnp&design=bw9GxdXDS&strength=11zyFX

POST-INFECTION TRAFFIC (CRYPTOWALL 3.0 RANSOMWARE):

2015-06-16 21:11:57 UTC - ip-addr[.]es - GET /
2015-06-16 21:11:58 UTC - afriqinter[.]com - POST /wp-content/plugins/g4.php?t=ufz7yu4p4236e
2015-06-16 21:12:00 UTC - afriqinter[.]com - POST /wp-content/plugins/g4.php?v=6h2lhzabyq
2015-06-16 21:12:02 UTC - afriqinter[.]com - POST /wp-content/plugins/g4.php?d=c774h55w9in4
2015-06-16 21:12:29 UTC - afriqinter[.]com - POST /wp-content/plugins/g4.php?k=fr4ukwvjppwo
2015-06-16 21:13:04 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /1kwN8ko
2015-06-16 21:13:07 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/style.css
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/flags/us.png
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /picture.php?k=1kwn8ko&47621fb89281480886ccb74d9ad1a6fb
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/flags/fr.png
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/flags/es.png
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/rt.png
2015-06-16 21:13:08 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/rb.png
2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/flags/it.png
2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/flags/de.png
2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/lt.png
2015-06-16 21:13:10 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/lb.png
2015-06-16 21:13:12 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /favicon.ico
2015-06-16 21:13:15 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - POST /1kwN8ko
2015-06-16 21:13:17 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/style.css
2015-06-16 21:13:19 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/bitcoin.png
2015-06-16 21:13:19 UTC - 7oqnsnzwwnm6zb7y.paypartyoptions[.]com - GET /img/button_pay.png

Click here to return to the main page.