2015-12-08 - ANGLER EK FROM 185.46.8.218 SENDS CRYPTOWALL

ASSOCIATED FILES:

• ZIP archive of the PCAP:  2015-12-08-Angler-EK-traffic.pcap.zip   493.4 kB (493,384 bytes)
• ZIP archive of the malware:  2015-12-08-Angler-EK-malware-and-artifacts.zip   379.7 kB (379,714 bytes)

 

Shown above:  On 2015-12-08, Google said the site may be comrpomised.

Shown above:  Turns out it was!  See above for start of injected script in page from comrpomised website.

Shown above:  End of injected script in page from comrpomised website.

Shown above:  Pcap of the traffic filtered in Wireshark.

Shown above:  Windows desktop minutes after the malware payload (CryptoWall) was delivered.

 

FINAL NOTES

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.