2016-03-04 - ANGLER EK DATA DUMP

PCAP AND MALWARE:

  • 2016-03-04-EITest-Angler-EK-after-morningsidetennis.com.au.pcap - 522.1 kB (522,138 bytes)
  • 2016-03-04-pseudo-Darkleech-Angler-EK-after-osakahockey.com-1-of-2.pcap - 1.1 MB (1,100,811 bytes)
  • 2016-03-04-pseudo-Darkleech-Angler-EK-after-osakahockey.com-2-of-2.pcap - 709.9 kB (709,892 bytes)
  • 2016-03-04-pseudo-Darkleech-Angler-EK-after-printermedicbedford.co.uk.pcap - 705.1 kB (705,053 bytes)

 

NOTES:

 

DOMAINS

GATES (REDIRECTS):

ANGLER EK:

TELSACRYPT POST-INFECTION TRAFFIC:

 

EXPLOITS/MALWARE

FLASH EXPLOITS SENT BY ANGLER EK (READ: MD5, FILE NAME):

TESLACRYPT SENT BY ANGLER EK (READ: MD5, FILE NAME):

OTHER MALWARE SENT BY ANGLER EK (READ: MD5, FILE NAME):

  • Registry Key:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Value name:  926712072
  • Value Type:  REG_SZ
  • Value Data:  C:\PROGRA~2\mscnxsbh.exe (C:\ProgramData\mscnxsbh.exe)

 

IMAGES


Shown above:  Traffic from the pcaps filtered in Wireshark.

 


Shown above:  Injected script in page from compromised site pointing to an "admedia" gate.

 


Shown above:  Start of injected pseudo-Darkleech script in page from the same compromised site as the previous image.

 


Shown above:  Start of injected pseudo-Darkleech script in page from another compromised site (leads to Angler EK).

 


Shown above:  Injected script in page from a compromised site pointing to an "EITest" gate.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.