2016-04-27 - EITEST GATE GENERATES NEUTRINO EK AND ANGLER EK

ASSOCIATED FILES:

  • 2016-04-27-EITest-Neutrino-EK-sends-TeslaCrypt.pcap   (578,450 bytes)
  • 2016-04-27-EITest-Angler-EK-sends-something-else.pcap   (928,748 bytes)
  • 2016-04-27-EITest-Angler-EK-extracted-DLL-from-silverlight-exploit-GrmBL2Lnhwx.dll   (209,408 bytes)
  • 2016-04-27-EITest-Angler-EK-flash-exploit.swf   (54,444 bytes)
  • 2016-04-27-EITest-Angler-EK-landing-page.txt   (96,150 bytes)
  • 2016-04-27-EITest-Angler-EK-payload.exe   (65,024 bytes)
  • 2016-04-27-EITest-Angler-EK-silverlight-exploit.xap   (169,132 bytes)
  • 2016-04-27-EITest-Neutrino-EK-flash-exploit.swf   (72,607 bytes)
  • 2016-04-27-EITest-Neutrino-EK-landing-page.txt   (968 bytes)
  • 2016-04-27-EITest-Neutrino-EK-payload-TeslaCrypt.exe   (434,176 bytes)
  • 2016-04-27-EITest-flash-file-from-volide.tk.swf   (15,596 bytes)
  • 2016-04-27-EITest-flash-file-sent-by-istera.tk.swf   (15,596 bytes)
  • 2016-04-27-TeslaCrypt-decrypt-instructions.html   (1,401 bytes)
  • 2016-04-27-TeslaCrypt-decrypt-instructions.png   (20,848 bytes)
  • 2016-04-27-TeslaCrypt-decrypt-instructions.txt   (572 bytes)

 

NOTES:

 

TRAFFIC


Shown above:  Pcap of traffic from the first infection (Neutrino EK --> TeslaCrypt) filtered in Wireshark.


Shown above:  Pcap of traffic from the second infection (Angler EK --> something else) filtered in Wireshark.

 

ASSOCIATED DOMAINS - NEUTRINO EK SENDS TESLACRYPT:

 

ASSOCIATED DOMAINS - ANGLER EK SENDS SOMETHING ELSE:

 

IMAGES


Shown above:  An example of injected EITest script in page from the compromised website.

 


Shown above:  Desktop of the first infected Windows host after Neutrino EK sent TeslaCrypt.  Who is TeslaCrypt impersonating this week?

 


Shown above:  Post-infection callback from the second Windows host after the Angler EK infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.