2016-02-15 - THREE INFECTIONS WITH ANGLER EK SENDING TESLACRYPT

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

START TIME OF FIRST PCAP (EITEST ANGLER EK):  2016-02-15 18:10 UTC

START TIME OF SECOND PCAP (ADMEDIA ANGLER EK):  2016-02-15 19:12 UTC

START TIME OF THIRD PCAP (OTHER ANGLER EK):  2016-02-15 20:06 UTC

 


Shown above:  Traffic from the first pcap (EITest Angler EK) filtered in Wireshark.


Shown above:  Traffic from the second pcap (Admedia Angler EK) filtered in Wireshark.


Shown above:  Traffic from the third pcap (other Angler EK) filtered in Wireshark.

 

FLASH EXPLOITS AND MALWARE PAYLOADS

FLASH EXPLOITS:

File name:  2016-02-15-EITest-Angler-EK-flash-exploit.swf
File size:  64.0 KB (65,553 bytes)
https://www.virustotal.com/en/file/a6a00386284302cd21ab4d647448eee5ff3e58b4c8b46a1949ae449651766b1b/analysis/

File name:  2016-02-15-Admedia-Angler-EK-flash-exploit.swf
File size:  64.4 KB (65,895 bytes)
https://www.virustotal.com/en/file/8ebc70fc2053cdcde648e2e4a6b95d5fe3f0e91afe6353aad2b80f57fca012e1/analysis/

File name:  2016-02-15-Angler-EK-flash-exploit.swf
File size:  80.8 KB (82,750 bytes)
https://www.virustotal.com/en/file/ae2ae9032984beb3093a92155b9df2a077f7213c4b67ae09924d96cae91591ab/analysis/

 

MALWARE PAYLOADS (ALL TESLACRYPT):

File name:  2016-02-15-EITest-Angler-EK-payload-TeslaCrypt.exe
File size:  416.5 KB (426,496 bytes)
https://www.virustotal.com/en/file/8a518224c47b99e7bba9eaca11fad5ef848cad7dbe6fe56b02864c5036c25552/analysis/

File name:  2016-02-15-Admedia-Angler-EK-payload-TeslaCrypt.exe
File size:  418.0 KB (428,032 bytes)
https://www.virustotal.com/en/file/a5fec2ff19af3099052f37a9b57b28edffcb6ab71778a6e3228cb020cde07972/analysis/

File name:  2016-02-15-Angler-EK-payload-TeslaCrypt.exe
File size:  620.0 KB (634,880 bytes)
https://www.virustotal.com/en/file/1e58891d2a807706037c6491065b3fb28b1701567b9b8a9b08fb4e04dd04a02f/analysis/

 

IMAGES


Shown above:  From EITest Angler EK infection - injected script in page from compromised website.

 


Shown above:  From Admedia Angler EK infection - injected script in page from the compromised website.

 


Shown above:  From Admedia Angler EK infection - each .js file from the compromised site has similar injected script appended to it.

 


Shown above:  From Admedia Angler EK infection - the long hexadecimal string in each of the variables translates to an Admedia gate URL.

 


Shown above:  From other Angler EK infection - injected script in page from the compromised website.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.