2015-10-23 - COMPROMISED DRUPAL SITE --> ANGLER EK --> TESLACRYPT 2.0

ASSOCIATED FILES:

 

NOTES:

 

IMAGES FROM THE TRAFFIC


Shown above: Injected script in page from the compromised website.

 


Shown above: Redirect leading to the Angler EK landing page.

 


Shown above: TeslaCrypt 2.0 decrypt instructions.

 

CHAIN OF EVENTS


Shown above: Traffic filtered in Wireshark before I cleaned up the pcap.

 

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-23-Angler-EK-flash-exploit.swf
File size:  43 KB ( 44,022 bytes )
MD5 hash:  789660012ec825e1367c168dd5f7a9b4
SHA1 hash:  a3fd21c3f72a47df1dc767e8312005af50578744
SHA256 hash:  5f5a87ec2ccdaef97350eb2616bb3d91a63b595048095500dbccd5e71ae03178
Detection ratio:  unknown (Had issues submitting this to Virus Total)
First submission:  unknown (Had issues submitting this to Virus Total)

 

MALWARE PAYLOAD:

File name:  2015-10-23-Angler-EK-payload-TeslaCrypt-2.0.exe
File name:  C:\Users\[username]\AppData\Roaming\bmmme-a.exe
File name:  C:\Users\[username]\AppData\Roaming\dabdl-a.exe
File size:  604.0 KB ( 618,496 bytes )
MD5 hash:  f87893b441483020ba75c870ffb7b6af
SHA1 hash:  2f622c1b053cc3244af7e75844a1d6ec0b0479c4
SHA256 hash:  78523cb8c204428fe0029ac8b2c31f0a3de55dcd1a7675ae11b43fe89c8334e0
Detection ratio:  1 / 55
First submission:  2015-10-23 20:29:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/78523cb8c204428fe0029ac8b2c31f0a3de55dcd1a7675ae11b43fe89c8334e0/analysis/
Malwr link:  https://malwr.com/analysis/NTYzOWRmYmVmZGQwNDcxMzg5Y2IxMDdjYzIwNjRlMzc/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.