2015-12-04 - ANGLER EK FROM 188.120.247.14 SENDS TESLACRYPT

ASSOCIATED FILES:

 


Shown above:  Injected script in page from comrpomised website.


Shown above:  Gate redirecting traffic from the compromised website to Angler EK landing page.


Shown above:  Pcap of the traffic filtered in Wireshark.


Shown above:  Alerts seen using tcpreplay on the pcap in Security Onion.


Shown above:  Windows desktop after the TeslaCrypt infection.

 

FINAL NOTES

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.