Notes
  • Angler EK traffic patterns have been undergoing many changes lately
  • Brad over at Malware-Traffic-Analysis.net actually just observed this same Angler EK landing (but from a different compromised domain)
PCAP and Malware
Compromised Domain and Redirection

2015-06-16 23:13:34 UTC - 89.46.66.21 - ferrettiwatches.com - GET /
2015-06-16 23:13:39 UTC - 5.101.118.152 - qllhje.hopto.org - GET /wordpress/?bf7N&utm _ source=dazzer

Angler EK Traffic

2015-06-16 23:13:39 UTC - 46.4.235.1 - volkstaenzen.dansfemdomlinks.com - GET /search?wf62=-6dq&cn-o=pkwp&833=o&56p8=n63ehc_2&nk0o=am&o4=slm22xus&wnva0=m4&gasw=de5wl&_l=8vl6b9&lpb5o=ei345e2&1la=mjp
2015-06-16 23:13:45 UTC - 46.4.235.1 - volkstaenzen.dansfemdomlinks.com - GET /father.dbm?spend=T2v&page=Bq80Cz&head=zrYdupamVW&so=mlM2_cQZXi&field=oBSgsDXHl&send=JLVxXn92&deal=o0

CryptoWall 3.0 Checkin

2015-06-16 23:13:56 UTC - 188.165.164.184 - ip-addr.es - GET /
2015-06-16 23:13:56 UTC - 69.89.31.130 - shannonmariephotographystudio.com - POST /wp-content/plugins/g5.php?n=5w426lc52fc5
2015-06-16 23:13:59 UTC - 69.89.31.130 - shannonmariephotographystudio.com - POST /wp-content/plugins/g5.php?c=7d7fdsk51gpclk4
2015-06-16 23:14:02 UTC - 69.89.31.130 - shannonmariephotographystudio.com - POST /wp-content/plugins/g5.php?b=vdc062z0o20173
2015-06-16 23:14:27 UTC - 69.89.31.130 - shannonmariephotographystudio.com - POST /wp-content/plugins/g5.php?c=n58cdmb50ma33

CryptoWall Ransom Addresses / Bitcoin Wallets
  • 7oqnsnzwwnm6zb7y.paypartyoptions.com/afv3YU
  • 7oqnsnzwwnm6zb7y.paytwinkgirls.com/afv3YU
  • 7oqnsnzwwnm6zb7y.paybullionbb.com/afv3YU
  • 7oqnsnzwwnm6zb7y.paybonymans.com/afv3YU
  • Wallet Address: 1Eegn9qzTkyVgW7tr1rwchvtwWEszrfdrF
  • 7 Transactions so far, total of 8.98 Bitcoin received: https://blockchain.info/address/1Eegn9qzTkyVgW7tr1rwchvtwWEszrfdrF
IDS alerts using the Emerging Threats Pro Ruleset (ET INFO disabled) on Suricata 2.0.8

2015-06-16 23:13:39 UTC - 192.168.40.14:49610 -> 5.101.118.152:80 - ET CURRENT EVENTS Malicious Redirect Leading to EK Apr 03 2015
2015-06-16 23:13:40 UTC - 192.168.40.14:49612 -> 46.4.235.1:80 - ETPRO CURRENT EVENTS Angler EK Landing URI Struct Jun 16 M1
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M1
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M2
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M3
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M4
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-06-16 23:13:45 UTC - 46.4.235.1:80 -> 192.168.40.14:49616 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-06-16 23:13:45 UTC - 46.4.235.1:80 -> 192.168.40.14:49616 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (11) M2
2015-06-16 23:13:56 UTC - 192.168.40.14:49617 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-06-16 23:13:58 UTC - 192.168.40.14:49618 -> 69.89.31.130:80 - ET TROJAN CryptoWall Check-in
2015-06-16 23:14:02 UTC - 192.168.40.14:49619 -> 69.89.31.130:80 - ET TROJAN CryptoWall Check-in
2015-06-16 23:14:05 UTC - 192.168.40.14:49620 -> 69.89.31.130:80 - ET TROJAN CryptoWall Check-in
2015-06-16 23:13:40 UTC - 46.4.235.1:80 -> 192.168.40.14:49612 - ETPRO CURRENT EVENTS Angler EK Landing June 15 2015
2015-06-16 23:14:29 UTC - 192.168.40.14:49621 -> 69.89.31.130:80 - ET TROJAN CryptoWall Check-in

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates