Malware-Traffic-Analysis.net - 2015-07-27 - Angler EK from 69.162.116[.]253 sends CryptoWall 3.0 ransomware

2015-07-27 - ANGLER EK FROM 69.162.116[.]253 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES:

Bitcoin address for the CryptoWall 3.0 ransomware sample's payment was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

TRAFFIC

ASSOCIATED DOMAINS:

www.excelsiorhotelhongkong[.]net - Compromised website
128.199.86[.]71 port 80 - roegrllj.hopto[.]org - Redirect/gate pointing to Angler EK
69.162.116[.]253 port 80 - ausgezaehltesfociavi.ladyelvis.ca - Angler EK
212.83.185[.]105 port 80 - moblineh[.]com - Post-infection CryptoWall 3.0 ransomware callback
54.187.137[.]89 port 80 - eduvantage[.]com - Post-infection CryptoWall 3.0 ransomware callback
95.163.121[.]212 port 80 - 6i3cb6owitcouepv.spatopayforwin[.]com - Viewing the decrypt instructions
95.163.121[.]212 port 80 - 6i3cb6owitcouepv.bythepaywayall[.]com - Viewing the decrypt instructions
6i3cb6owitcouepv.lowallmoneypool[.]com - domain for decrypt instructions that did not resolve in DNS
6i3cb6owitcouepv.transoptionpay[.]com - domain for decrypt instructions that did not resolve in DNS

TRAFFIC:

2015-07-27 15:11:24 UTC - www.excelsiorhotelhongkong[.]net - GET /
2015-07-27 15:11:26 UTC - roegrllj.hopto[.org - GET /wordpress/?bf7N&utm_source=dazzer

2015-07-27 15:11:27 UTC - ausgezaehltesfociavi.ladyelvis[.]ca - GET /plaque/viewtopic.php?t=9600&f=aebf211gcd4141169
2015-07-27 15:11:29 UTC - ausgezaehltesfociavi.ladyelvis[.]ca - GET /total.xhtml?within=Fq0OZM8jp4&attitude=odP&class=&read=_5G7n0XpmZ9fWx
YXQMKW8D1GV7heMUbAafO
2015-07-27 15:11:32 UTC - ausgezaehltesfociavi.ladyelvis.ca - GET /charge.dml?lady=VXvTq&other=TEOcV7m&suddenly=oU6PVU&company=4tO&
fine=9HQ9cv7cO&poet=XFz&try=KshAD8&effect=huP423mJz

2015-07-27 15:11:38 UTC - ip-addr[.]es - GET /
2015-07-27 15:11:39 UTC - moblineh[.]com - POST /modules/mod_tower/rrrrr.php?c=rpsrdmg4hp
2015-07-27 15:11:39 UTC - moblineh[.]com - GET /cgi-sys/suspendedpage.cgi?c=rpsrdmg4hp
2015-07-27 15:11:40 UTC - eduvantage[.]com - POST /wp-content/uploads/rrrr.php?u=rpsrdmg4hp
2015-07-27 15:11:42 UTC - moblineh[.]com - POST /modules/mod_tower/rrrrr.php?i=0r4v3g1cex40s0m
2015-07-27 15:11:43 UTC - moblineh[.]com - GET /cgi-sys/suspendedpage.cgi?i=0r4v3g1cex40s0m
2015-07-27 15:11:43 UTC - eduvantage[.]com - POST /wp-content/uploads/rrrr.php?r=0r4v3g1cex40s0m
2015-07-27 15:11:46 UTC - moblineh[.]com - POST /modules/mod_tower/rrrrr.php?g=e6uh4sdoqgts
2015-07-27 15:11:47 UTC - moblineh[.]com - GET /cgi-sys/suspendedpage.cgi?g=e6uh4sdoqgts
2015-07-27 15:11:47 UTC - eduvantage[.]com - POST /wp-content/uploads/rrrr.php?h=e6uh4sdoqgts
2015-07-27 15:11:56 UTC - moblineh[.]com - POST /modules/mod_tower/rrrrr.php?c=28tyfu1ebf
2015-07-27 15:11:57 UTC - moblineh[.]com - GET /cgi-sys/suspendedpage.cgi?c=28tyfu1ebf
2015-07-27 15:11:57 UTC - eduvantage[.]com - POST /wp-content/uploads/rrrr.php?g=28tyfu1ebf
2015-07-27 15:12:11 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /removed
2015-07-27 15:12:12 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/style.css
2015-07-27 15:12:12 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/flags/us.png
2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/flags/es.png
2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/flags/it.png
2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/flags/fr.png
2015-07-27 15:12:13 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/flags/de.png
2015-07-27 15:12:14 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /picture.php?k=1nswsiv&352fb25625b841239edae3598e303094
2015-07-27 15:12:14 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/lt.png
2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/rt.png
2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/lb.png
2015-07-27 15:12:15 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/rb.png
2015-07-27 15:12:17 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /favicon.ico
2015-07-27 15:12:21 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - POST /removed
2015-07-27 15:12:23 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/bitcoin.png
2015-07-27 15:12:23 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/button_pay.png
2015-07-27 15:13:02 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /removed
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/style.css
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/flags/us.png
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/flags/de.png
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/flags/es.png
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/flags/it.png
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/flags/fr.png
2015-07-27 15:13:04 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /picture.php?k=1nswsiv&b23cb2379e4570a81be26b0ee1346d2f
2015-07-27 15:13:05 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/lt.png
2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/rt.png
2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/lb.png
2015-07-27 15:13:06 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/rb.png
2015-07-27 15:13:08 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /favicon.ico
2015-07-27 15:13:12 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - POST /removed
2015-07-27 15:13:14 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/bitcoin.png
2015-07-27 15:13:14 UTC - 6i3cb6owitcouepv.bythepaywayall[.]com - GET /img/button_pay.png
2015-07-27 15:14:40 UTC - 6i3cb6owitcouepv.spatopayforwin[.]com - GET /img/button_pay_sel.png

Click here to return to the main page.