2015-08-13 - ANGLER EK FROM 176.9.197.68 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

 

NOTES:


Shown above: Malicious script in page from compromised website.  The iframe points to an Angler EK landing page.

Shown above: Part of the CryptoWall 3.0 decrypt instructions from a browser window.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

ANGLER EK:

 

POST-INFECTION CALLBACK BY CRYPTOWALL 3.0:

 

WHERE THE USER CLICKED ON LINKS, ENTERED THE CAPTCHA, AND VIEWED THE DECRYPT PAGES:

 

FINAL NOTES

Once again, here are the associated files:

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.