Malware-Traffic-Analysis.net - 2015-08-27 - Angler EK from 74.63.210.179 sends TeslaCrypt 2.0

2015-08-27 - ANGLER EK FROM 74.63.210.179 SENDS TESLACRYPT 2.0

PCAP AND MALWARE:

ZIP of the PCAP: 2015-08-27-Angler-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
ZIP file of the malware: 2015-08-27-Angler-EK-sends-TeslaCrypt-2.0-artifacts.zip

NOTES:

Follow-up to a diary I posted at: https://isc.sans.edu/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
I can't share the compromised website that kicked off this particular infection chain; however, the injected script on a page from the site is shown below:

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

74.63.210.179 port 80 - precisiamowolfi.samatter.com - Angler EK
77.221.130.1 port 80 - flagman-gpm.com - TeslaCrypt 2.0 callback

ANGLER EK:

2015-08-27 15:49:18 UTC - precisiamowolfi.samatter.com - GET /civis/viewforum.php?f=7bpv&sid=.2psd9039m68981&

2015-08-27 15:49:21 UTC - precisiamowolfi.samatter.com - GET /hill.lbc?cell=&cover=f1nrZhb&marriage=xjL&together=iJMh-D&supply=&feed=iQ5byPNu&
page=&under=IBes1RicYCKvMwg5sdvKW97b

2015-08-27 15:49:21 UTC - precisiamowolfi.samatter.com - POST /civis/study.fcgi?should=itRdAMn&view=&own=bpae&policy=JDh3B&dollar=&because=ooD&
talk=qx7gr1WBcM&father=CkwmMu7C2&project=nSGdQWNWGw

2015-08-27 15:49:22 UTC - precisiamowolfi.samatter.com - GET /hill.lbc?cell=&cover=f1nrZhb&marriage=xjL&together=iJMh-D&supply=&feed=iQ5byPNu&
page=&under=IBes1RicYCKvMwg5sdvKW97b

2015-08-27 15:49:24 UTC - precisiamowolfi.samatter.com - GET /individual.asr?detail=qk1X8F&remain=7HZT0Wf&deal=&simple=cNeJ4y5FRm&follow=&
girl=GkkK59&marry=78o&matter=FOL5EI&function=GIQyk5BTvO

2015-08-27 15:49:28 UTC - precisiamowolfi.samatter.com - GET /within.htx?month=b1RvXO7_Ri&complete=5_Wl-I&window=diX1MlTLAY&fine=skTFhYlC&
influence=iQ66fdd4vG&process=b8pr

POST-INFECTION TRAFFIC:

2015-08-27 15:49:29 UTC - ipinfo.io - GET /ip

2015-08-27 15:49:29 UTC - flagman-gpm.com - GET /r.php?D0B1745184D4B19325F8CA239D78E80477C2B52A3C53B5B18A947BF1E71BBE4EDF1D9D76B1678
219645D1A720154AED397C30E196DE706B0288C47A9B0664127429FBC81BAADFE54B51522FE48D8237920970789E49956710F61B5CD14A02CEAAA3F8AB6F
F7315B11918A8C61497A400741F61ED4E2D3717BC087C5F4306367478163FE6F268C34A4C808664CD49B8987E539913B31F0C050E6CE28756DCB01123CC1
13DBC0E4A0BC604FEA087434E4DA10285EB803ADBB1BB8EC3E6DB40EF768FA43D7A566C3D04306E776EB00813F981572225348AFFBFD1218952E0A3DF76

2015-08-27 15:50:01 UTC - flagman-gpm.com - GET /r.php?D3ECA3EC23AA62A397F6CA71219BA2F07B913FC1D66753BA6555F6D0CD29F33FE42D5D1F90C8
02A49F300070B868682926A01B36324A906C02C3808FC79BDEB8E5A2D7DEA7847694A649C10BDE0FE181E7B8ED3314D1054DC7748024ED892111DC9E4CB
1B166DEF08C3ACCEBB90E4074DA3C4EDAD80BD7018AA74D85FD0CC02D74F6C6C563C2BBE9330FEC3AF137A272213A3BDC83AA8241DC9640E3CF49FDB
657435DB7087630C5DC3D0053C5E93195

FINAL NOTES

Once again, here are the associated files:

ZIP of the PCAP: 2015-08-27-Angler-EK-sends-TeslaCrypt-2.0-traffic.pcap.zip
ZIP file of the malware: 2015-08-27-Angler-EK-sends-TeslaCrypt-2.0-artifacts.zip

NOTE: All ZIP archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.