2016-03-03 - ANGLER EK DATA DUMP

PCAP AND MALWARE:

  • 2016-03-03-admedia-Angler-EK-after-augenlaserinfo.com.pcap - 671.8 kB (671,845 bytes)
  • 2016-03-03-admedia-Angler-EK-after-capital-consultancy.com.pcap - 2.1 MB (2,136,410 bytes)
  • 2016-03-03-admedia-Angler-EK-after-cosmoflor.com.pcap - 905.3 kB (905,319 bytes)
  • 2016-03-03-EITest-Angler-EK-after-chiplawcoaching.com.pcap - 673.5 kB (673,535 bytes)
  • 2016-03-03-EITest-Angler-EK-after-ospedalesantamaria.it.pcap - 734.9 kB (734,861 bytes)
  • 2016-03-03-pseudo-Darkleech-and-admedia-Angler-EK-after-myagesconsulting.com.pcap - 1.4 MB (1,415,730 bytes)
  • 2016-03-03-pseudo-Darkleech-Angler-EK-after-rsimcbintaro.com.pcap - 697.7 kB (697,659 bytes)

 

NOTES:

 

DOMAINS

GATES (REDIRECTS):

ANGLER EK:

TELSACRYPT POST-INFECTION TRAFFIC:

 

EXPLOITS/MALWARE

TESLACRYPT SENT BY ANGLER EK (READ: MD5, FILE NAME):

FLASH EXPLOITS SENT BY ANGLER EK (READ: MD5, FILE NAME):

 

IMAGES


Shown above:  Traffic from the pcaps filtered in Wireshark.

 


Shown above:  Injected script in page from compromised site pointing to an "admedia" gate.

 


Shown above:  Start of injected pseudo-Darkleech script in page from compromised site pointing to Angler EK.

 


Shown above:  Start of injected script in .js file from compromised site pointing to an "admedia" gate.

 


Shown above:  Injected script in page from compromised site pointing to an "admedia" gate.

 


Shown above:  End of injected script in .js file from compromised site pointing to an "admedia" gate.

 


Shown above:  Injected script in page from compromised site pointing to an "admedia" gate.

 


Shown above:  Injected script in page from compromised site pointing to an "EITest" gate.

 


Shown above:  Start of injected pseudo-Darkleech script in page from compromised site pointing to Angler EK.

 


Shown above:  Injected script in page from compromised site pointing to an "EITest" gate.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.