2015-07-23 - ANGLER EK FROM 216.245.213[.]141 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-23-Angler-EK-sends-CryptoWall-3.0-ransomware.pcap.zip
• 2015-07-23-Angler-EK-and-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• Bitcoin address for this CryptoWall 3.0 ransomware sample's ransom payment was:  1LY58fiaAYFKgev67TN1UJtRveJh81D2dU
• This is the same address I've seen from Angler EK CryptoWall 3.0 ransomware since the beginning of July 2015.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 216.245.213[.]141 port 80 - verzakki.hip-oh[.]com - Angler EK
• ip-addr[.]es - IP address check by the infected machine (caused by CryptoWall 3.0 ransomware)
• 64.90.49[.]124 port 80 - michaelserwa[.]com - CryptoWall 3.0 ransomware callback
• 46.30.43[.]66 port 80 - 6i3cb6owitcouepv.misterhoppo[.]com - Viewing the decrypt instructions
• 46.30.43[.]66 port 80 - 6i3cb6owitcouepv.ministryordas[.]com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.winingpicturess[.]com - Domain in decrypt instructions that didn't resolve
• 6i3cb6owitcouepv.welcome2payload[.]su - Domain in decrypt instructions that didn't resolve

 

ANGLER EK:

• 2015-07-23 18:50:20 UTC - verzakki.hip-oh[.]com - GET /overviews/viewtopic.php?t=3711&f=529640774

• 2015-07-23 18:50:23 UTC - verzakki.hip-oh[.]com - GET /necessary.vbhtml?scene=F1SeJ&necessary=2c3O5mWN&have=AL_K&enemy=6stuMd&they=&
  drop=yxeJTFWA&throw=rwyK8IkBW&prove=&private=WtPEJW&purpose=JU

• 2015-07-23 18:50:26 UTC - verzakki.hip-oh[.]com - GET /white.wpx?sure=&person=n1Xk8vgm&simple=&figure=RxjX4fBuSN&how=&wish=Ch496hXTOV&
  own=RKy&form=6y9rA&fix=n5VjSe6f&hear=RzzE

 

POST-INFECTION TRAFFIC CAUSED BY CRYPTOWALL 3.0:

• 2015-07-23 18:50:35 UTC - ip-addr[.]es - GET /
• 2015-07-23 18:50:35 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?e=mma3j1ngs7h5x
• 2015-07-23 18:50:38 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?q=tlgwzydqnr9yd5
• 2015-07-23 18:50:41 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?y=g7dpi69yp9tqma
• 2015-07-23 18:50:50 UTC - michaelserwa[.]com - POST /wp-content/plugins/wp-db-backup-made/a.php?p=bsx08d9tjfiu7
• 2015-07-23 18:51:01 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /-------
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/style.css
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/flags/us.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/flags/fr.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/flags/de.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/flags/es.png
• 2015-07-23 18:51:04 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/flags/it.png
• 2015-07-23 18:51:05 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /picture.php?k=1nswsiv&8720cb9b42ee81c03c11c9defb91cb2d
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/lt.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/rt.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/lb.png
• 2015-07-23 18:51:06 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/rb.png
• 2015-07-23 18:51:09 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /favicon.ico
• 2015-07-23 18:51:14 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - POST /-------
• 2015-07-23 18:51:18 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/bitcoin.png
• 2015-07-23 18:51:18 UTC - 6i3cb6owitcouepv.misterhoppo[.]com - GET /img/button_pay.png
• 2015-07-23 18:51:38 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /-------
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/style.css
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/flags/us.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/flags/it.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/flags/es.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/flags/fr.png
• 2015-07-23 18:51:41 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/flags/de.png
• 2015-07-23 18:51:42 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /picture.php?k=1nswsiv&84ebeb50eda94cb4fa0a747e5b7732d6
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/lt.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/rt.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/lb.png
• 2015-07-23 18:51:43 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/rb.png
• 2015-07-23 18:51:46 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /favicon.ico
• 2015-07-23 18:51:50 UTC - 6i3cb6owitcouepv.ministryordas[.]com - POST /-------
• 2015-07-23 18:51:53 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/bitcoin.png
• 2015-07-23 18:51:53 UTC - 6i3cb6owitcouepv.ministryordas[.]com - GET /img/button_pay.png

 

Click here to return to the main page.