2015-07-31 - ANGLER EK FROM 69.162.112[.]181 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-31-Angler-EK-traffic-2-pcaps.zip
• 2015-07-31-Angler-EK-and-CryptoWall-ransomware-files.zip

NOTES:

• Bitcoin address for this CryptoWall 3.0 ransomware sample's payment was:  1LY58fiaAYFKgev67TN1UJtRveJh81D2dU

 

TRAFFIC

ANGLER EK - EXAMPLE 1 OF 2 (2015-07-31 at 13:17 UTC):

• 69.162.112[.]181 port 80 - subcity.entreeonlinestore[.]com - GET /forums/viewtopic.php?t=53spa&f=ee7go0n4

• 69.162.112[.]181 port 80 - subcity.entreeonlinestore[.]com - GET /effect.esproj?service=E5VaQEhh&around=e9n7PdzRW&relate=gKg&claim=
  KJfn_&herself=SCZkkQNqdq&mind=&member=TIGd&they=Ccx1OqPyf

• 69.162.112[.]181 port 80 - subcity.entreeonlinestore[.]com - GET /represent.a5w?window=q2YeY&shall=A6XoN&strength=aaUWf&including=
  bi-pOe2A&field=zTkKToXWzK&allow=axzFH&English=_30Agg65Xx

 

ANGLER EK - EXAMPLE 2 OF 2 (2015-07-31 at 13:23 UTC):

• 69.162.112[.]181 port 80 - wiedererzaehltem.entreeonlinestore[.]com - GET /forums/viewforum.php?f=72qxm&sid=lnehl180

• 69.162.112[.]181 port 80 - wiedererzaehltem.entreeonlinestore[.]com - GET /respect.rjs?aid=FE0&foot=BGTs0ObcrV&general=qev0&dark=
  pYokFijo0TinWWYyu6bLvW-K1hnFgO0

• 69.162.112[.]181 port 80 - wiedererzaehltem.entreeonlinestore[.]com - GET /could.jsp?buy=XU1AeDDHxz&earth=&rate=oFMjMt&rest=&boat=
  Q-9&organization=0Qp018v61r&hotel=o3oUvyis&let=Q1J&that=dxI&reach=0EH44

 

CRYPTOWALL 3.0 RANSOMWARE POST-INFECTION TRAFFIC (FROM SAME PCAP AS EXAMPLE 2 OF 2):

• ip-addr[.]es - GET /   [IP address check]
• 49.50.8[.]41 port 80 - homestyle1974[.]com - POST /wp-content/uploads/rrr.php?[single letter]=[random string]
• 194.228.50[.]123 port 80 - kesbuk[.]cz - POST /wp-content/uploads/rrrr.php?[single letter]=[random string]
• 81.177.167[.]191 port 80 - 6i3cb6owitcouepv.spatopayforwin[.]com - Decrypt instructions web page
• 81.177.167[.]191 port 80 - 6i3cb6owitcouepv.bythepaywayall[.]com - Decrypt instructions web page
• 6i3cb6owitcouepv.lowallmoneypool[.]com - Domain for decrypt instructions that did not resolve
• 6i3cb6owitcouepv.transoptionpay[.]com - Domain for decrypt instructions that did not resolve

 

Click here to return to the main page.