2015-10-16 - ANGLER AND 052F GATE NUCLEAR EK FROM THE SAME COMPROMISED WEBSITE

ASSOCIATED FILES:

 

NOTES:


      Shown above:  Flow chart for the infection chains.

 

INJECTED SCRIPT FROM THE COMPROMISED WEBSITE


Shown above:  Start of the injected script leading to Angler EK.

 


Shown above:  Start of the injected script leading to the 052F gate.

 

052F GATE EXAMPLES


Shown above:  If the 052F gate works...

 


Shown above:  If the 052F gate doesn't work...

 

CHAIN OF EVENTS - 052F GATE NUCLEAR EK SENDS CRYPTOWALL 3.0


Shown above:  Wireshark display for the pcap, filtered on HTTP requests.

 

ASSOCIATED DOMAINS:

 

MALWARE PAYLOAD - CRYPTOWALL 3.0:

 

CHAIN OF EVENTS - ANGLER EK SENDS BEDEP


Shown above:  Wireshark display for the pcap, filtered on HTTP requests.

 

ASSOCIATED DOMAINS:

 

FILES RETRIEVED FROM THE INFECTED HOST:

 

ONE OF THE REGISTRY KEYS UPDATED ON THE INFECTED HOST:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.