2016-02-26 - ANGLER EK FROM 66.225.241.46 SENDS TESLACRYPT

PCAP AND MALWARE:

 

CHAIN OF EVENTS


Shown above:  Today's pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Injected script in page from the compromised site, part 1 of 3.

 


Shown above:  Injected script in page from the compromised site, part 2 of 3.

 


Shown above:  Injected script in page from the compromised site, part 3 of 3.

 


Shown above:  The Windows desktop after Angler EK sent TeslaCrypt.

 


Shown above:  The TeslaCrypt ransomware staying persistent on the infected Windows host.

 


Shown above:  Signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.8.0 on Debian 7.

 


Shown above:  Signature hits from Suricata using the Emerging Threats Pro ruleset on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.