2015-08-13 - ANGLER EK FROM 176.9.197.68 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

 

NOTES:


Shown above: Malicious script in page from compromised website.  The iframe points to an Angler EK landing page.

Shown above: Part of the CryptoWall 3.0 decrypt instructions from a browser window.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

ANGLER EK:

 

POST-INFECTION CALLBACK BY CRYPTOWALL 3.0:

 

WHERE THE USER CLICKED ON LINKS, ENTERED THE CAPTCHA, AND VIEWED THE DECRYPT PAGES:

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.