2015-12-08 - ANGLER EK FROM 185.46.8[.]218 SENDS CRYPTOWALL RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-12-08-Angler-EK-traffic.pcap.zip   493.4 kB (493,384 bytes)
• 2015-12-08-Angler-EK-malware-and-artifacts.zip   380.5 kB (380,466 bytes)

 

Shown above:  On 2015-12-08, Google said the site may be compromised.

Shown above:  Turns out it was!  See above for start of injected script in page from comrpomised website.

Shown above:  End of injected script in page from compromised website.

Shown above:  Pcap of the traffic filtered in Wireshark.

Shown above:  Windows desktop minutes after the malware payload (CryptoWall) was delivered.

 

Click here to return to the main page.