2015-07-06 - ANGLER EK FROM 74.63.217[.]220 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-06-Angler-EK-sends-CryptoWall-3.0-ransomware.pcap.zip
• 2015-07-06-Angler-EK-and-CryptoWall-3.0-ransomware-files.zip

NOTES:

• Bitcoin address for this CryptoWall 3.0 ransomware sample is: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 74.63.217[.]220 port 80 - riotocrainpende.seattlebeerfest[.]com - Angler EK
• 192.185.195[.]126 port 80 - ammjeguadalajara[.]org - CryptoWall 3.0 ransomware callback traffic
• 54.84.219[.]185 port 80 - bioserviciossas[.]net - CryptoWall 3.0 ransomware callback traffic
• 192.185.198[.]239 port 80 - boschenmasonry[.]com - CryptoWall 3.0 ransomware callback traffic
• 95.163.121[.]228 port 80 - 6i3cb6owitcouepv.paybrakepoint[.]com - Checking the decrypt instructions web page

 

ANGLER EK:

• 2015-07-06 17:02:23 UTC - riotocrainpende.seattlebeerfest[.]com - GET /tarn.php?q=s5YetqLHbIvQfLOlUFN0t78O0sJZN&gk=p2eUNokFvcM&
  s=OThFna7Tcai9ACTT7dzpuG_emKRc&ey=JB3ZI-&m=T267HqAGPeg7EX647Sg&i=JX89xSS

• 2015-07-06 17:02:25 UTC - riotocrainpende.seattlebeerfest[.]com - GET /administration.hdml?before=c2h0DND&choose=&mother=xBin6fr&
  pull=y9kmdeLh6HFpN4ZearC5TFpbgeakNGd9Nw

• 2015-07-06 17:02:25 UTC - riotocrainpende.seattlebeerfest[.]com - GET /least.ewp?fire=6ye5iV&leach=w0nvfkDv&technique=aMDD&
  happen=yim1kANRbsR3lCOrQFMnumuStgQRSM

• 2015-07-06 17:02:32 UTC - riotocrainpende.seattlebeerfest[.]com - GET /report.php?factor=r0ZkDs&almost=NHSv&third=Dhq-KlTY&difference=&
  love=7RCHBLz&school=&none=dWG2CdxqsZ&floor=-uNf&press=4sHt&down=LCyz5

 

CRYPTOWALL 3.0 - IP CHECK AND CALLBACK TRAFFIC:

• 2015-07-06 17:02:38 UTC - ip-addr[.]es - GET /
• 2015-07-06 17:02:38 UTC - ammjeguadalajara[.]org - POST /wp-content/plugins/dd.php?s=sq311kgk3imnzd
• 2015-07-06 17:02:39 UTC - boschenmasonry[.]com - POST /wp-includes/aa.php?u=sq311kgk3imnzd
• 2015-07-06 17:02:40 UTC - bioserviciossas[.]net - POST /wp-includes/cc.php?o=sq311kgk3imnzd
• 2015-07-06 17:02:44 UTC - ammjeguadalajara[.]org - POST /wp-content/plugins/dd.php?d=99x7319q2d817l
• 2015-07-06 17:02:44 UTC - boschenmasonry[.]com - POST /wp-includes/aa.php?p=99x7319q2d817l
• 2015-07-06 17:02:45 UTC - bioserviciossas[.]net - POST /wp-includes/cc.php?c=99x7319q2d817l
• 2015-07-06 17:02:48 UTC - ammjeguadalajara[.]org - POST /wp-content/plugins/dd.php?o=qhie6pb8n9zf
• 2015-07-06 17:02:49 UTC - boschenmasonry[.]com - POST /wp-includes/aa.php?i=qhie6pb8n9zf
• 2015-07-06 17:03:19 UTC - bioserviciossas[.]net - POST /wp-includes/cc.php?r=qhie6pb8n9zf
• 2015-07-06 17:03:28 UTC - ammjeguadalajara[.]org - POST /wp-content/plugins/dd.php?q=g7e8dox8xyp
• 2015-07-06 17:03:28 UTC - boschenmasonry[.]com - POST /wp-includes/aa.php?l=g7e8dox8xyp
• 2015-07-06 17:03:28 UTC - bioserviciossas[.]net - POST /wp-includes/cc.php?p=g7e8dox8xyp

 

VIEWING THE DECRYPTION INSTRUCTIONS PAGE:

• 2015-07-06 17:03:44 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /1Nswsiv
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/style.css
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/flags/us.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/flags/it.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/flags/fr.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/flags/es.png
• 2015-07-06 17:03:47 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/flags/de.png
• 2015-07-06 17:03:48 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /picture.php?k=1nswsiv&bc0fcf7970bc1d65def29c3ec965e314
• 2015-07-06 17:03:49 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/lt.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/rt.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/lb.png
• 2015-07-06 17:03:50 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/rb.png
• 2015-07-06 17:03:52 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /favicon.ico
• 2015-07-06 17:03:55 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - POST /1Nswsiv
• 2015-07-06 17:03:57 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /picture.php?k=1nswsiv&54b0baa4521148f753683b9f48d9d930
• 2015-07-06 17:04:04 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - POST /1Nswsiv
• 2015-07-06 17:04:07 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/bitcoin.png
• 2015-07-06 17:04:07 UTC - 6i3cb6owitcouepv.paybrakepoint[.]com - GET /img/button_pay.png

 

Click here to return to the main page.