2016-04-19 - TELSACRYPT MALSPAM - SUBJ: YOUR LATEST DOCUMENTS FROM ANGEL SPRINGS LTD

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Ten examples from this wave of malspam.

 


Shown above:  More information on the attachments from those 10 emails.

 

SCREENSHOT FROM ONE OF THE EMAILS:

 

TEXT OF THE MESSAGE:

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

 

TRAFFIC


Shown above:  Pcap of the traffic from executing the extracted .js files, filtered in Wireshark.

 

.JS FILE DOWNLOADING THE TESLACRYPT .EXE BINARY:

 

TESLACRYPT POST-INFECTION TRAFFIC:

 

IMAGES


Shown above:  Desktop of the Windows host after it was infected with the TeslaCrypt ransomware.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website, or email me and ask.

Click here to return to the main page.