2016-03-28 - PSEUDO-DARKLEECH ANGLER EK FROM 185.46.10.230

PCAP AND MALWARE:

 

NOTES:

 

TRAFFIC

 

IMAGES


Shown above:  Start of pseudo-Darkleech injected script in page from compromised site.

 


Shown above:  Angler EK sends exploit against Flash Player version 20.0.0.306.

 


Shown above:  Emerging Threats signatures triggered for TeslaCrypt on the post-infection traffic.

 


Shown above:  Talos signatures also triggered for TeslaCrypt on the post-infection traffic.

 


Shown above:  The style of the decrypt instructions now looks like what I've seen for Locky ransomware (but it's still TeslaCrypt).

 


Shown above:  Going to the decrypt instructions and getting a captcha.

 


Shown above:  Final page to make your bitcoin payment for the ransom.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.