2015-07-14 - ANGLER EK - TWO EXAMPLES - BEDEP & CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-14-Angler-EK-traffic-2-pcaps.zip
• 2015-07-14-Angler-EK-malware-and-artifacts.zip

 

NOTES:

• Didn't get Angler EK's payload for the Bedep infection, just post-infection malware noted at:  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\certmgr.dll
• Bitcoin address for the CryptoWall 3.0 ransomware sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

• Special thanks to @teoseller for letting me know about the compromised web sites!

 

TRAFFIC - EXAMPLE 1 OF 2 (BEDEP)

ASSOCIATED DOMAINS:

• www.elianamonti[.]it - Compromised website
• 178.33.200[.]140 port 80 - uta.dptalchascomus[.]com[.]ar - Redirect
• 185.48.58[.]52 port 80 - kudasignonperpe.gozimbee[.]us - Angler EK
• 95.211.230[.]75 port 80 - ainppnucugojxibw[.]com - Bedep-related post-infection traffic
• 162.244.33[.]101 port 80 - fllbztxgacot[.]com - Bedep-related post-infection traffic
• 95.211.202[.]33 port 80 - stromo3147[.]com - Click-fraud traffic begins
• 31.148.220[.]95 port 80 - s9ysbwd161wd[.]com - Click-fraud traffic begins
• 95.211.189[.]99 port 80 - euzcd5l6l516[.]com - Click-fraud traffic begins
• 162.244.34[.]39 port 80 - sct9uvhxwug[.]com - Click-fraud traffic begins

 

TRAFFIC:

• 2015-07-14 17:58:45 UTC - www.elianamonti[.]it - GET /
• 2015-07-14 17:58:46 UTC - uta.dptalchascomus[.]com[.]ar - GET /widget.js

• 2015-07-14 17:58:50 UTC - kudasignonperpe.gozimbee[.]us - GET /monogram/viewtopic.php?f=60868983&t=89

• 2015-07-14 17:58:52 UTC - kudasignonperpe.gozimbee[.]us - GET /meet.hyperesources?forget=&might=D4pot_3ubT&add=&small=3Es&name=8YFweMi8&little=WDyAy&
  figure=JS8CR&public=u3nY&deal=zydoHzUe&back=HycQM

• 2015-07-14 17:58:52 UTC - kudasignonperpe.gozimbee[.]us - GET /monogram/force.asax?economic=iOf&officer=kjP4Hm35HD&though=&far=V_Sdj&test=&
  permit=vX8AkYzXF&street=bn-nrI3ya&amount=8GIb-gqeX&dog=vCX

• 2015-07-14 17:58:59 UTC - kudasignonperpe.gozimbee[.]us - GET /smile.sht?care=vYe5HD&development=&recently=nymu4CW&list=&west=ZQfV6&a=DfNiJHuI9d&
  as=BUd_Y&cut=rA7sfkPQ2&back=&mark=ewIX5-

• 2015-07-14 17:59:07 UTC - www.earthtools[.]org - GET /timezone-1.1/76.57466/-61.23022
• 2015-07-14 17:59:08 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?a146f2dd29f49a92697d559e25e9095c
• 2015-07-14 17:59:15 UTC - ainppnucugojxibw[.]com - POST /blog.php
• 2015-07-14 17:59:18 UTC - fllbztxgacot[.]com - POST /include/functions_file.php
• 2015-07-14 17:59:20 UTC - fllbztxgacot[.]com - POST /list.php
• 2015-07-14 17:59:43 UTC - fllbztxgacot[.]com - POST /include/functions_databuild.php
• 2015-07-14 18:01:01 UTC - fllbztxgacot[.]com - POST /forum.php
• 2015-07-14 18:01:06 UTC - fllbztxgacot[.]com - POST /include/class_database_explain.php
• 2015-07-14 18:02:02 UTC - stromo3147[.]com - GET /ads.php?sid=1917
• 2015-07-14 18:02:02 UTC - s9ysbwd161wd[.]com - GET /ads.php?sid=1917
• 2015-07-14 18:02:02 UTC - euzcd5l6l516[.]com - GET /ads.php?sid=1917
• 2015-07-14 18:02:03 UTC - sct9uvhxwug[.]com - GET /ads.php?sid=1917

 

TRAFFIC - EXAMPLE 2 OF 2 (CRYPTOWALL 3.0 RANSOMWARE)

ASSOCIATED DOMAINS:

• www.laclinique[.]it - Compromised website
• 94.131.14[.]34 port 80 - 0stall.zimbee[.]co - Angler EK
• 212.59.247[.]56 port 80 - masanta[.]pl - CryptoWall 3.0 ransomware post-infection traffic
• 212.59.244[.]5 port 80 - monki.info[.]pl - CryptoWall 3.0 ransomware post-infection traffic
• 89.40.32[.]180 port 80 - leooptic[.]ro - CryptoWall 3.0 ransomware post-infection traffic
• 64.90.49[.]124 port 80 - michaelserwa[.]com - CryptoWall 3.0 ransomware post-infection traffic
• 95.163.121[.]228 port 80 - 6i3cb6owitcouepv.mywa2pay[.]com - Viewing the decrypt instructions
• 95.163.121[.]228 port 80 - 6i3cb6owitcouepv.micropaysearch[.]com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.light2mind[.]com - Domain for decrypt instructions that didn't resolve
• 6i3cb6owitcouepv.rightslavebb[.]com - Domain for decrypt instructions that didn't resolve

 

TRAFFIC:

• 2015-07-14 18:31:04 UTC - www.laclinique[.]it - GET /

• 2015-07-14 18:31:09 UTC - 0stall.zimbee[.]co - GET /drawbacks/viewtopic.php?f=1473&t=860380

• 2015-07-14 18:31:12 UTC - 0stall.zimbee[.]co - GET /soon.ppthtml?accept=&half=DATsCI&mother=0FW5jN&dog=a6WZ8T7pV&possible=oUBri&might=p74a&
  effective=-5F&facility=uI-yke-km&discussion=rFmlvy

• 2015-07-14 18:31:17 UTC - 0stall.zimbee[.]co - GET /girl.rhtml?hour=jGlhojat&five=RjReo&director=0MDPMfHuem&almost=&stand=uT3QdWuQh&wish=J677PpV&
  on=&problem=bVePQf&department=D5w

• 2015-07-14 18:31:19 UTC - 0stall.zimbee[.]co - GET /drawbacks/form.btapp?if=1TF&break=&sort=hcLgK8Z&than=2TCa2osEMu&especially=
  n2aB9T9Xg0LegkLe4298VxN-V1S6

• 2015-07-14 18:31:21 UTC - ip-addr[.]es - GET /
• 2015-07-14 18:31:22 UTC - masanta[.]pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?e=nh0fdx3foek97y
• 2015-07-14 18:31:28 UTC - monki.info[.]pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?v=nh0fdx3foek97y
• 2015-07-14 18:31:31 UTC - leooptic[.]ro - POST /wp-content/themes/twentytwelve/c.php?j=nh0fdx3foek97y
• 2015-07-14 18:31:31 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?f=nh0fdx3foek97y
• 2015-07-14 18:31:35 UTC - masanta[.]pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?b=t3wfcqwien
• 2015-07-14 18:31:36 UTC - monki.info[.]pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?l=t3wfcqwien
• 2015-07-14 18:31:37 UTC - leooptic[.]ro - POST /wp-content/themes/twentytwelve/c.php?g=t3wfcqwien
• 2015-07-14 18:31:39 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?w=t3wfcqwien
• 2015-07-14 18:31:42 UTC - masanta[.]pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?o=qfr24a84kkz99k
• 2015-07-14 18:31:43 UTC - monki.info[.]pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?b=qfr24a84kkz99k
• 2015-07-14 18:31:44 UTC - leooptic[.]ro - POST /wp-content/themes/twentytwelve/c.php?w=qfr24a84kkz99k
• 2015-07-14 18:32:15 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?d=qfr24a84kkz99k
• 2015-07-14 18:32:39 UTC - masanta[.]pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?q=6n4zd2y91jztm
• 2015-07-14 18:32:40 UTC - monki.info[.]pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?o=6n4zd2y91jztm
• 2015-07-14 18:32:41 UTC - leooptic[.]ro - POST /wp-content/themes/twentytwelve/c.php?t=6n4zd2y91jztm
• 2015-07-14 18:32:43 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?y=6n4zd2y91jztm
• 2015-07-14 18:33:15 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /-------
• 2015-07-14 18:33:17 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/style.css
• 2015-07-14 18:33:18 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/flags/us.png
• 2015-07-14 18:33:18 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/flags/it.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/flags/de.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/flags/es.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /picture.php?k=1nswsiv&996472cec89f2f744419f4f2e8f2a029
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/lt.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/flags/fr.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/rt.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/lb.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/rb.png
• 2015-07-14 18:33:22 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /favicon.ico
• 2015-07-14 18:33:26 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - POST /-------
• 2015-07-14 18:33:31 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/bitcoin.png
• 2015-07-14 18:33:31 UTC - 6i3cb6owitcouepv.mywa2pay[.]com - GET /img/button_pay.png
• 2015-07-14 18:33:56 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /-------
• 2015-07-14 18:33:57 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/style.css
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/flags/us.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /picture.php?k=1nswsiv&26c42444c398191f40dd9036dde07e2a
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/flags/it.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/flags/es.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/flags/de.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/lt.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/flags/fr.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/rt.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/lb.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/rb.png
• 2015-07-14 18:34:03 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /favicon.ico
• 2015-07-14 18:34:06 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - POST /-------
• 2015-07-14 18:34:08 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/bitcoin.png
• 2015-07-14 18:34:08 UTC - 6i3cb6owitcouepv.micropaysearch[.]com - GET /img/button_pay.png

 

Click here to return to the main page.