2015-10-27 - COMPROMISED WORDPRESS SITE --> ANGLER EK --> TESLACRYPT 2.1

ASSOCIATED FILES:

 

NOTES:


Shown above: Tweet from @tehsyntx about the TeslaCrypt I found last week.

 

IMAGES FROM THE TRAFFIC


Shown above: Traffic filtered in Wireshark before I cleaned up the pcap.

 


Shown above: Injected script in page from the compromised website.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-27-Angler-EK-flash-exploit.swf
File size:  43.1 KB ( 44109 bytes )
MD5 hash:  131014f85dacfca54fe473cb71846800
SHA1 hash:  e9401b7c7ded29be8a77ec9c46c3f2dd0502ac6a
SHA256 hash:  6a5fd899caa4c58546077c7da71494521d96622cde8a1c761d25decafd750ccd
Detection ratio:  1 / 55
First submission:  2015-10-27 21:17:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6a5fd899caa4c58546077c7da71494521d96622cde8a1c761d25decafd750ccd/analysis/1445980627/

 

MALWARE PAYLOAD:

File name:  2015-10-27-Angler-EK-payload-TeslaCrypt-2.1.exe
File size:  384.0 KB ( 393216 bytes )
MD5 hash:  6a3858fe471266e6ab7a7ed4f350169c
SHA1 hash:  91f73ce6357829997deb2966d859dee5a65cb213
SHA256 hash:  49b9f2d02ebaeb5f3480e1e690811829541b3dc0ce7965f9b25382ef31225c54
Detection ratio:  6 / 54
First submission:  2015-10-27 21:17:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/49b9f2d02ebaeb5f3480e1e690811829541b3dc0ce7965f9b25382ef31225c54/analysis/
Malwr link:  https://malwr.com/analysis/MzY0MTZmZDc2MzJiNGJiMjgyODdhYjZkODUzYTMxNWY/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.