2016-01-27 - ANGLER EK FROM 185.49.68.132 SENDS CRYPTOWALL

PCAP AND MALWARE:

 

CHAIN OF EVENTS


Shown above:  A pcap of the traffic filtered in Wireshark showing the HTTP requests.

 


Shown above:  Injected script in a page from the compromised website.

 

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

ANGLER EK FLASH EXPLOIT:

File name:  2016-01-27-Angler-EK-flash-exploit.swf
File size:  129.2 KB ( 132,319 bytes )
MD5 hash:  a874b781d3d0af0e5a652822944be983
SHA1 hash:  cec90fac505e780ab0836837e369fb63b53759e2
SHA256 hash:  33bba1b73c606e9d58bd70aa9612d66f106865a5477482b3a86faf60146dee67
Detection ratio:  1 / 53
First submission:  2016-01-27 01:54:51 UTC
VirusTotal link:  click here

 

MALWRE PAYLOAD (CRYPTOWALL):

File name:  2016-01-27-Angler-EK-payload-CryptoWall.exe
File size:  408.5 KB ( 418,304 bytes )
MD5 hash:  dcce63ae6b7671f00e05a8090acfecb7
SHA1 hash:  102a735b291b53fd5cc0e7789b80eaceff31f194
SHA256 hash:  23e551a94dbf9583b352d5005b654ddf7255064d77bba38dbeb72c015a60ebdb
Detection ratio:  2 / 47
First submission:  2016-01-27 01:33:02 UTC
VirusTotal link:  click here
Malwr link:  click here

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.