2015-07-09 - ANGLER EK - 2 EXAMPLES (CRYPTOWALL 3.0 RANSOMWARE AND BEDEP)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-09-Angler-EK-traffic-2-pcaps.zip
• 2015-07-09-Angler-EK-malware-and-artifacts.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 ransomware sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same as yesterday).

 

CHAIN OF EVENTS - FIRST EXAMPLE

ASSOCIATED DOMAINS:

• 88.198.54[.]212 port 80 - cansinaceremonieel.firstchoicehealthcaresolutions[.]com - Angler EK
• 50.62.69[.]1 port 80 - avalonmakeupartists[.]com - CryptoWall 3.0 ransomware checkin

 

ANGLER EK:

• 2015-07-09 12:48:30 UTC - cansinaceremonieel.firstchoicehealthcaresolutions[.]com - GET /viewtopic.php?f=29&t=13623654

• 2015-07-09 12:48:33 UTC - cansinaceremonieel.firstchoicehealthcaresolutions[.]com - GET /draw.phtml?English=&never=by4gHhH&company=Z8poT&Christian=&
  French=3WIgOhd&society=&gas=dPHfd5AWD&enough=mrbXORE6CJtuiJ8m0oIn

• 2015-07-09 12:48:36 UTC - cansinaceremonieel.firstchoicehealthcaresolutions[.]com - GET /hit.sites2?common=&throw=Ji_0ev5&affair=OMz&season=RqigbGL&
  difference=r3AyErhI&who=ER-4zze6Q&dead=cTMVCOb&process=eSI1zxL

• 2015-07-09 12:48:38 UTC - cansinaceremonieel.firstchoicehealthcaresolutions[.]com - GET /marriage.rjs?as=&what=sxDqfnp&relate=06PrSf-&attention=sPIwlhSH&
  why=6uMp&day=zLFl&food=eUXKKf9xA&difficulty=3_Ye&up=9MkA8

 

CRYPTOWALL 3.0 POST-INFECTION TRAFFIC:

• 2015-07-09 12:48:42 UTC - ip-addr[.]es - GET /
• 2015-07-09 12:48:43 UTC - avalonmakeupartists[.]com - POST /wp-content/plugins/bb.php?y=n8tjfocklrbfg
• 2015-07-09 12:48:47 UTC - avalonmakeupartists[.]com - POST /wp-content/plugins/bb.php?w=97dhgdtdgq
• 2015-07-09 12:48:50 UTC - avalonmakeupartists[.]com - POST /wp-content/plugins/bb.php?q=mqqjmgijbhd3jjl
• 2015-07-09 12:49:30 UTC - avalonmakeupartists[.]com - POST /wp-content/plugins/bb.php?f=7fgxr1808k4z

 

CHAIN OF EVENTS - SECOND EXAMPLE

ASSOCIATED DOMAINS:

• 178.33.200[.]140 port 80 - out.ipsyc[.]com[.]ar - Malicious javascript pointing to Angler EK
• 176.9.245[.]139 port 80 - ronbun.5540owensmouth213[.]com - Angler EK
• 95.211.230[.]75 port 80 - ainppnucugojxibw[.]com - Bedep-related post-infection traffic
• 162.244.33[.]104 port 80 - vzzekdzpvwoosbv0d[.]com - Bedep-related post-infection traffic
• 95.211.202[.]33 port 80 - t3kkyhb6wi[.]com - Click-fraud traffic domain
• 31.148.220[.]95 port 80 - fvvj24s57af4[.]com - Click-fraud traffic domain
• 162.244.34[.]39 port 80 - ndpxyhnh59b[.]com - Click-fraud traffic domain
• 95.211.189[.]99 port 80 - wv5mcgy37hv4[.]com - Click-fraud traffic domain
• 46.45.137[.]77 port 80 - y643sj32dk[.]com - Click-fraud traffic domain

 

GATE TO ANGLER EK:

• 2015-07-09 13:46:44 UTC - out.ipsyc[.]com[.]ar - GET /js/script.js

 

ANGLER EK:

• 2015-07-09 13:46:50 UTC - ronbun.5540owensmouth213[.]com - GET /viewtopic.php?f=78&t=12128321

• 2015-07-09 13:46:52 UTC - ronbun.5540owensmouth213[.]com - GET /amount.olp?study=OE5KXkr&marry=&strength=UhVy96a6&
  know=Jx9b2qMnLyR8mTcEo1nQS-42Okru8XOvV

• 2015-07-09 13:46:59 UTC - ronbun.5540owensmouth213[.]com - GET /yes.wgp?final=V4ylhdAm11&son=z1EBF&many=q2R1Y1&figure=KTT3KQt8Z&
  dead=-xe1IxFy6&length=4pXEiTA_&different=7

• 2015-07-09 13:47:01 UTC - ronbun.5540owensmouth213[.]com - GET /far.cshtml?family=H1R&corner=bj-&cause=&there=eMU7FI&state=&cost=yPo_ae&
  action=D-KaTaEgxa&England=&study=-cp3d0rwmc&close=745SEvWjeh

 

BEDEP-RELATED POST-INFECTION TRAFFIC:

• 2015-07-09 13:47:06 UTC - www.earthtools[.]org - GET /timezone-1.1/-24.62078/15.58492
• 2015-07-09 13:47:06 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?44241dc789e08a918a4415d2a1250d5f
• 2015-07-09 13:47:08 UTC - ainppnucugojxibw[.]com - POST /album.php
• 2015-07-09 13:47:08 UTC - vzzekdzpvwoosbv0d[.]com - POST /misc.php
• 2015-07-09 13:47:11 UTC - vzzekdzpvwoosbv0d[.]com - POST /forumdisplay.php
• 2015-07-09 13:47:34 UTC - vzzekdzpvwoosbv0d[.]com - POST /content.php
• 2015-07-09 13:48:56 UTC - vzzekdzpvwoosbv0d[.]com - POST /index.php
• 2015-07-09 13:48:58 UTC - vzzekdzpvwoosbv0d[.]com - POST /newthread.php
• 2015-07-09 13:50:06 UTC - t3kkyhb6wi[.]com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - fvvj24s57af4[.]com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - ndpxyhnh59b[.]com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - wv5mcgy37hv4[.]com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - y643sj32dk[.]com - GET /ads.php?sid=1917

 

Click here to return to the main page.