2015-07-06 - ANGLER EK FROM 74.63.217.220 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the traffic:  2015-07-06-Angler-EK-sends-CryptoWall-3.0.pcap.zip
• ZIP file of the malware:  2015-07-06-Angler-EK-and-CryptoWall-3.0-artifacts.zip

NOTES:

• Bitcoin address for this CryptoWall 3.0 sample is: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 74.63.217.220 port 80 - riotocrainpende.seattlebeerfest.com - Angler EK
• 192.185.195.126 port 80 - ammjeguadalajara.org - CryptoWall 3.0 callback traffic
• 54.84.219.185 port 80 - bioserviciossas.net - CryptoWall 3.0 callback traffic
• 192.185.198.239 port 80 - boschenmasonry.com - CryptoWall 3.0 callback traffic
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.paybrakepoint.com - Checking the decrypt instructions web page

 

ANGLER EK:

• 2015-07-06 17:02:23 UTC - riotocrainpende.seattlebeerfest.com - GET /tarn.php?q=s5YetqLHbIvQfLOlUFN0t78O0sJZN&gk=p2eUNokFvcM&
  s=OThFna7Tcai9ACTT7dzpuG_emKRc&ey=JB3ZI-&m=T267HqAGPeg7EX647Sg&i=JX89xSS

• 2015-07-06 17:02:25 UTC - riotocrainpende.seattlebeerfest.com - GET /administration.hdml?before=c2h0DND&choose=&mother=xBin6fr&
  pull=y9kmdeLh6HFpN4ZearC5TFpbgeakNGd9Nw

• 2015-07-06 17:02:25 UTC - riotocrainpende.seattlebeerfest.com - GET /least.ewp?fire=6ye5iV&leach=w0nvfkDv&technique=aMDD&
  happen=yim1kANRbsR3lCOrQFMnumuStgQRSM

• 2015-07-06 17:02:32 UTC - riotocrainpende.seattlebeerfest.com - GET /report.php?factor=r0ZkDs&almost=NHSv&third=Dhq-KlTY&difference=&
  love=7RCHBLz&school=&none=dWG2CdxqsZ&floor=-uNf&press=4sHt&down=LCyz5

 

CRYPTOWALL 3.0 - IP CHECK AND CALLBACK TRAFFIC:

• 2015-07-06 17:02:38 UTC - ip-addr.es - GET /
• 2015-07-06 17:02:38 UTC - ammjeguadalajara.org - POST /wp-content/plugins/dd.php?s=sq311kgk3imnzd
• 2015-07-06 17:02:39 UTC - boschenmasonry.com - POST /wp-includes/aa.php?u=sq311kgk3imnzd
• 2015-07-06 17:02:40 UTC - bioserviciossas.net - POST /wp-includes/cc.php?o=sq311kgk3imnzd
• 2015-07-06 17:02:44 UTC - ammjeguadalajara.org - POST /wp-content/plugins/dd.php?d=99x7319q2d817l
• 2015-07-06 17:02:44 UTC - boschenmasonry.com - POST /wp-includes/aa.php?p=99x7319q2d817l
• 2015-07-06 17:02:45 UTC - bioserviciossas.net - POST /wp-includes/cc.php?c=99x7319q2d817l
• 2015-07-06 17:02:48 UTC - ammjeguadalajara.org - POST /wp-content/plugins/dd.php?o=qhie6pb8n9zf
• 2015-07-06 17:02:49 UTC - boschenmasonry.com - POST /wp-includes/aa.php?i=qhie6pb8n9zf
• 2015-07-06 17:03:19 UTC - bioserviciossas.net - POST /wp-includes/cc.php?r=qhie6pb8n9zf
• 2015-07-06 17:03:28 UTC - ammjeguadalajara.org - POST /wp-content/plugins/dd.php?q=g7e8dox8xyp
• 2015-07-06 17:03:28 UTC - boschenmasonry.com - POST /wp-includes/aa.php?l=g7e8dox8xyp
• 2015-07-06 17:03:28 UTC - bioserviciossas.net - POST /wp-includes/cc.php?p=g7e8dox8xyp

 

VIEWING THE DECRYPTION INSTRUCTIONS PAGE:

• 2015-07-06 17:03:44 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /1Nswsiv
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/style.css
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/flags/us.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/flags/it.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/flags/fr.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/flags/es.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/flags/de.png
• 2015-07-06 17:03:48 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /picture.php?k=1nswsiv&bc0fcf7970bc1d65def29c3ec965e314
• 2015-07-06 17:03:49 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/lt.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/rt.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/lb.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/rb.png
• 2015-07-06 17:03:52 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /favicon.ico
• 2015-07-06 17:03:55 UTC - 6i3cb6owitcouepv.paybrakepoint.com - POST /1Nswsiv
• 2015-07-06 17:03:57 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /picture.php?k=1nswsiv&54b0baa4521148f753683b9f48d9d930
• 2015-07-06 17:04:04 UTC - 6i3cb6owitcouepv.paybrakepoint.com - POST /1Nswsiv
• 2015-07-06 17:04:07 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/bitcoin.png
• 2015-07-06 17:04:07 UTC - 6i3cb6owitcouepv.paybrakepoint.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-07-06-Angler-EK-sends-CryptoWall-3.0.pcap.zip
• ZIP file of the malware:  2015-07-06-Angler-EK-and-CryptoWall-3.0-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.