2016-04-11 - PSEUDO-DARKLEECH ANGLER EK FROM 148.251.249.110 SENDS TESLACRYPT

PCAP AND MALWARE:

  • 2016-04-11-pseudo-Darkleech-Angler-EK-after-condocosmetics.com.pcap - 526.1 kB (526,055 bytes)
  • 2016-04-11-TeslaCrypt-decrypt-instructions.htm   (11,637 bytes)
  • 2016-04-11-TeslaCrypt-decrypt-instructions.png   (79,829 bytes)
  • 2016-04-11-TeslaCrypt-decrypt-instructions.txt   (2,400 bytes)
  • 2016-04-11-page-from-condocosmetics.com-with-injected-pseudo-Darkleech-script.txt   (38,144 bytes)
  • 2016-04-11-pseudo-Darkleech-Angler-EK-flash-exploit-after-condocosmetics.com.swf   (78,446 bytes)
  • 2016-04-11-pseudo-Darkleech-Angler-EK-landing-page-after-condocosmetics.com.txt   (149,483 bytes)
  • 2016-04-11-pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-condocosmetics.com.exe   (282,624 bytes)

NOTES:

 

ASSOCIATED DOMAINS:


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

IMAGES


Shown above:  Start of injected pseudo-Darkleech script in page from the compromised website.

 


Shown above:  Start of the decrypt instructions for the TeslaCrypt dropped by Angler EK.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.