2015-12-08 - ANGLER EK FROM 185.46.8.218 SENDS CRYPTOWALL

ASSOCIATED FILES:

 


Shown above:  On 2015-12-08, Google said the site may be comrpomised.


Shown above:  Turns out it was!  See above for start of injected script in page from comrpomised website.


Shown above:  End of injected script in page from comrpomised website.


Shown above:  Pcap of the traffic filtered in Wireshark.


Shown above:  Windows desktop minutes after the malware payload (CryptoWall) was delivered.

 

FINAL NOTES

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.