2016-05-16 - EITEST ANGLER EK FROM 185.117.75.131 SENDS RAMNIT

ASSOCIATED FILES:

  • 2016-05-16-EITest-Angler-EK-first-run.pcap   (604,185 bytes - no infection)
  • 2016-05-16-EITest-Angler-EK-second-run.pcap   (2,145,231 bytes - infection)
  • 2016-05-16-EITest-Angler-EK-flash-exploit-first-run.swf   (54,489 bytes)
  • 2016-05-16-EITest-Angler-EK-flash-exploit-second-run.swf   (31,028 bytes)
  • 2016-05-16-EITest-Angler-EK-landing-page-first-run.txt   (66,373 bytes)
  • 2016-05-16-EITest-Angler-EK-landing-page-second-run.txt   (77,963 bytes)
  • 2016-05-16-EITest-Angler-EK-payload-ramnit.exe   (334,080 bytes)
  • 2016-05-16-EITest-Angler-EK-silverlight-exploit.zip   (169,132 bytes)
  • 2016-05-16-EITest-flash-redirector-from-ip.iphistory.co.uk.swf   (15,540 bytes)
  • 2016-05-16-page-from-prg.usp.br-with-injected-EITest-script-first-run.txt   (59,861 bytes)
  • 2016-05-16-page-from-prg.usp.br-with-injected-EITest-script-second-run.txt   (60,128 bytes)

 

NOTES:

 


Shown above:  Tweet that allowed me to generate today's infection.

 


Shown above:  Chain of events for today's infection.

 

TRAFFIC


Shown above:  Second pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Alerts from Security Onion for the second pcap using Suricata and the EmergingThreats Pro signature set.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.