2015-12-28 - ANGLER EK FROM 207.182.133.69 SENDS TESLACRYPT

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

SCREENSHOTS


Shown above:  Today's pcap filtered in Wireshark.

 


Shown above:  Injected script in page from the compromised website.

 


Shown above:  The HTTP GET request for the gate.  It returned an iframe pointing to the Angler EK landing page.
NOTE:  Following the TCP stream in Wireshark won't show the returned text, because it's gzip compressed.

 


Shown above:  Quickly find the decompressed text in Wireshark by selecting the frame with "200 OK" and expanding the "Line-based text data" section.

 


Shown above:  The user's Windows desktop after the TeslaCrypt infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.