2016-04-13 - PSEUDO-DARKLEECH ANGLER EK SENDS TESLACRYPT

ASSOCIATED FILES:

  • 2016-04-13-malwr.com-analysis-of-TeslaCrypt-sample.pcap   (13,739 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap   (565,073 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-second-run.pcap   (521,905 bytes)
  • 2016-04-13-page-from-medical-library.net-with-injected-script-first-run.txt   (103,261 bytes)
  • 2016-04-13-page-from-medical-library.net-with-injected-script-second-run.txt   (49,371 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-flash-exploit-after-medical-library.net-first-run.swf   (66,575 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-flash-exploit-after-medical-library.net-second-run.swf   (103,261 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-landing-page-after-medical-library.net-first-run.txt   (149,515 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-landing-page-after-medical-library.net-second-run.txt   (149,463 bytes)
  • 2016-04-13-pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-medical-library.net.exe   (229,376 bytes)
  • 2016-04-13-pseudo-Darkleech-script-returned-from-dpvuppocw.hopto.org.txt   (7,261 bytes)
  • 2016-04-13-pseudo-Darkleech-script-returned-from-rbedfqo.hopto.org.txt   (7,531 bytes)

NOTES:

 


Shown above:  Pcap of the infection traffic filtered in Wireshark - first run.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark - second run.

 


Shown above:  Pcap from malwr.com's analysis of the payload, showing TeslaCrypt post-infection traffic.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Injected script in page from the compromised website (second run).

 


Shown above:  Start of injected pseudo-Darkleech script returned from the hopto.org gate (second run).

 

FINAL NOTES

Once again, here are the associated files:

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.