2015-11-20 - ANGLER EK FROM 209.133.203[.]204 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-11-20-Angler-EK-sends-CryptoWall-3.0-ransomware-traffic.pcap.zip   939.2 kB (939,225 bytes)
• 2015-11-20-Angler-EK-sends-CryptoWall-3.0-ransomware-files.zip   278.5 kB (278,467 bytes)

 

TRAFFIC

ASSOCIATED DOMAINS:

• 209.133.203[.]204 port 80 - merkkivuonnaandefluiate.fishingtower[.]com - Angler EK
• ip-addr[.]es - IP address check by the malware
• 46.30.212[.]60 port 80 - adeolamedia[.]com - CryptoWall ransomware post-infection callback
• 46.30.212[.]119 port 80 - autonomenab[.]se - CryptoWall ransomware post-infection callback
• ayh2m57ruxjtwyd5.abctopayforwin[.]com - Page that appeared when user went to the decrypt instructions
• ayh2m57ruxjtwyd5.bcdthepaywayall[.]com - Page that appeared when user went to the decrypt instructions
• ayh2m57ruxjtwyd5.deballmoneypool[.]com - Doesn't resolve in DNS
• ayh2m57ruxjtwyd5.armnsoptionpay[.]com - Page from hosting provider

 

 

Click here to return to the main page.