Introduction In the past two days, I've infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host where Angler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1]. On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host where Angler EK sent CryptoWall 3.0 as the malware payload. I usually see Angler EK send different types of ransomware [2, 3], and I've seen plenty of CryptoWall 3.0 samples from Magnitude EK; however, this is the first time I've noticed CryptoWall from Angler EK.
Traffic from the infected host CryptoWall 3.0 traffic has changed a bit from my first diary about it on 2015-01-19 [4]. Traffic below was seen from the infected host on 2015-05-27 starting at 17:30 UTC.
Associated domains:
Angler EK:
CryptoWall 3.0 check-in traffic:
Note: These URLs repeated several times with different random strings at the end. Traffic caused by viewing the CryptoWall decrypt instructions in a browser:
Preliminary malware analysis Malware payload delivered by Angler EK on 2015-05-27:
Final words A pcap of the 2015-05-27 infection traffic is available at: A zip file of the associated malware is available at: The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- References: [1] http://malware-traffic-analysis.net/2015/05/26/index.html |
Brad 350 Posts ISC Handler |
Subscribe |
May 28th 2015 4 years ago |
I just had a customer infected about 4 days ago.
I took a VM image of their machine before I trashed the hard drive. Can I help in anyway to help find these punks. I took a wireshark trace and ip points to 95.163.121.105 Not sure if it is proxy or what, but would love to help if I can in anyway. Thanks, Silent |
Anonymous |
Quote |
Jun 3rd 2015 4 years ago |
Silent,
Thanks for the information! 95.163.121.105 is one of the websites used to view the decrypt instructions (as shown in the blog entry). It's not uncommon to see the same IP address space used for a long period of time. Hopefully, it will help as an indicator of compromise for others. Thanks again. - Brad |
Brad 350 Posts ISC Handler |
Quote |
Jun 3rd 2015 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!