2015-12-08 - ANGLER EK FROM 18.104.22.168 SENDS CRYPTOWALL
- ZIP archive of the PCAP: 2015-12-08-Angler-EK-traffic.pcap.zip 493.4 kB (493,384 bytes)
- ZIP archive of the malware: 2015-12-08-Angler-EK-malware-and-artifacts.zip 379.7 kB (379,714 bytes)
Shown above: On 2015-12-08, Google said the site may be comrpomised.
Shown above: Turns out it was! See above for start of injected script in page from comrpomised website.
Shown above: End of injected script in page from comrpomised website.
Shown above: Pcap of the traffic filtered in Wireshark.
Shown above: Windows desktop minutes after the malware payload (CryptoWall) was delivered.
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.