2015-12-04 - ANGLER EK FROM 188.120.247[.]14 SENDS TESLACRYPT RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-12-04-Angler-EK-sends-TeslaCrypt-ransomware-traffic.pcap.zip   1.0 MB (1,009,496 bytes)
• 2015-12-04-files-from-Angler-EK-sends-TeslaCrypt-ransomware.zip   471.3 kB (471,335 bytes)

 

Shown above:  Injected script in page from comrpomised website.

Shown above:  Gate redirecting traffic from the compromised website to Angler EK landing page.

Shown above:  Pcap of the traffic filtered in Wireshark.

Shown above:  Alerts seen using tcpreplay on the pcap in Security Onion.

Shown above:  Windows desktop after the TeslaCrypt infection.

 

Click here to return to the main page.