Notes
  • Nothing special here, just Angler EK dropping CryptoWall 3.0 from a compromised website
  • No malware sample this time
PCAP and Malware
Compromised Domain

2015-07-21 03:51:03 UTC - 54.195.250.178 - www.goldengekko.com - GET /careers_positions/head-of-solutions-architecture-development/

Angler EK Traffic

2015-07-21 03:51:20 UTC - 185.43.223.163 - quakinglysidererions.partnerwithjamar.com - GET /sleek/viewforum.php?f=941&sid=0970883
2015-07-21 03:51:29 UTC - 185.43.223.163 - quakinglysidererions.partnerwithjamar.com - GET /reach.csp?describe=&instance=fLWG&former=B96dDyeds&ride=&French=g53mVBbICnhu0Je5A7KC9QB7A9bnklNHjo7
2015-07-21 03:51:39 UTC - 185.43.223.163 - quakinglysidererions.partnerwithjamar.com - GET /feeling.svc?station=bWEvZC&money=wn5w&you=OVey&leach=Gf_m-_Lo&town=g0Y3&finally=QEVJwUwM1&walk=sU5dH7VEh1&information=UUl
2015-07-21 03:51:43 UTC - 185.43.223.163 - quakinglysidererions.partnerwithjamar.com - GET /sleek/religious.zhtml?each=&know=hd7&kill=&from=-tUMHiep&choose=eVXNB&back=&responsibility=-wr_Otb5&simply=oZ_vPEG3wZRd0yU7aXjv5IPG

Post-Infection CryptoWall 3.0 Traffic

2015-07-21 03:51:46 UTC - 188.165.164.184 - ip-addr.es - GET /
2015-07-21 03:51:46 UTC - 95.85.4.87 - hotfrance.ru - POST /wp-content/themes/dreamynight-10/a.php?j=74d9pxs1f5w
2015-07-21 03:52:17 UTC - 5.10.68.189 - blueskyzworld.com - POST /wp-content/plugins/wp-antibot-standart/d.php?t=74d9pxs1f5w
2015-07-21 03:52:21 UTC - 95.85.4.87 - hotfrance.ru - POST /wp-content/themes/dreamynight-10/a.php?t=z65keexhykpuxc7
2015-07-21 03:52:52 UTC - 5.10.68.189 - blueskyzworld.com - POST /wp-content/plugins/wp-antibot-standart/d.php?r=z65keexhykpuxc7
2015-07-21 03:52:54 UTC - 95.85.4.87 - hotfrance.ru - POST /wp-content/themes/dreamynight-10/a.php?q=mzu0hwe6fjgz39

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-07-21 03:51:08 UTC - 54.195.250.178:80 -> 192.168.21.40:49181 - ET CURRENT EVENTS Possible Evil Redirector Leading to EK June 10 2015
2015-07-21 03:51:08 UTC - 54.195.250.178:80 -> 192.168.21.40:49181 - ET CURRENT EVENTS Possible Evil Redirector Leading to EK June 10 2015
2015-07-21 03:51:21 UTC - 192.168.21.40:49201 -> 185.43.223.163:80 - ETPRO CURRENT EVENTS Possible Angler EK Landing URI Struct Jul 15 M1 T3
2015-07-21 03:51:21 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Possible Angler EK Landing May 16 M2
2015-07-21 03:51:21 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M4
2015-07-21 03:51:21 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-21 03:51:22 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015 T1
2015-07-21 03:51:29 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Possible Angler EK Landing May 16 M2
2015-07-21 03:51:29 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-21 03:51:29 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015 T1
2015-07-21 03:51:29 UTC - 192.168.21.40:49201 -> 185.43.223.163:80 - ETPRO CURRENT EVENTS Angler EK Flash Exploit (IE) Jun 16 M1 T2
2015-07-21 03:51:29 UTC - 192.168.21.40:49201 -> 185.43.223.163:80 - ETPRO CURRENT EVENTS Angler EK Flash Exploit (IE) Jun 16 M1 T3
2015-07-21 03:51:29 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Possible Angler EK Flash Exploit June 16 2015 M1
2015-07-21 03:51:29 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Angler EK Flash Exploit M2
2015-07-21 03:51:29 UTC - 192.168.21.40:49201 -> 185.43.223.163:80 - ET POLICY Outdated Windows Flash Version IE
2015-07-21 03:51:39 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-21 03:51:39 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (12)
2015-07-21 03:51:39 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-07-21 03:51:39 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (23)
2015-07-21 03:51:39 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (11) M2
2015-07-21 03:51:43 UTC - 185.43.223.163:80 -> 192.168.21.40:49201 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-21 03:51:46 UTC - 192.168.21.40:49262 -> 188.165.164.184:80 - ET POLICY Possible IP Check ip-addr.es
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (24)
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (25)
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (16) M2
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (26)
2015-07-21 03:51:48 UTC - 185.43.223.163:80 -> 192.168.21.40:49273 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (27)
2015-07-21 03:52:17 UTC - 192.168.21.40:49263 -> 95.85.4.87:80 - ET TROJAN CryptoWall Check-in
2015-07-21 03:52:17 UTC - 192.168.21.40:49263 -> 95.85.4.87:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 03:52:19 UTC - 192.168.21.40:49403 -> 5.10.68.189:80 - ET TROJAN CryptoWall Check-in
2015-07-21 03:52:52 UTC - 192.168.21.40:49404 -> 95.85.4.87:80 - ET TROJAN CryptoWall Check-in
2015-07-21 03:52:52 UTC - 192.168.21.40:49404 -> 95.85.4.87:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer
2015-07-21 03:52:54 UTC - 192.168.21.40:49410 -> 5.10.68.189:80ET TROJAN CryptoWall Check-in
2015-07-21 03:53:05 UTC - 192.168.21.40:49411 -> 95.85.4.87:80 - ET TROJAN CryptoWall Check-in
2015-07-21 03:53:05 UTC - 192.168.21.40:49411 -> 95.85.4.87:80 - ET TROJAN HTTP POST to WP Theme Directory Without Referer

Preliminary Malware Analysis

Angler EK Payload - CryptoWall 3.0

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates