2015-02-10 - ANGLER EK FROM 151.80.94.250

ASSOCIATED FILES:

 

NOTES:

 

ASSOCIATED DOMAINS

 

CHAIN OF EVENTS - 2015-02-09

2015-02-09 - COMPROMISED WEBSITE AND ANGLER EK:

 

2015-02-09 - POST-INFECTION TRAFFIC:

 

CHAIN OF EVENTS - 2015-02-10

2015-02-10 - COMPROMISED WEBSITE AND ANGLER EK:

 

2015-02-10 - POST-INFECTION TRAFFIC:

 

2015-02-10 - POST-INFECTION CLICK FRAUD TRAFFIC BEGINS:

 

2015-02-10 - ANGLER EK HAPPENS AGAIN DURING THE POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

SCREENSHOT FROM THE TRAFFIC

Iframe in malicious javascript from compromised website pointing to Angler EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.