2015-12-28 - ANGLER EK FROM 207.182.133.69 SENDS TESLACRYPT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2015-12-28-Angler-EK-sends-TeslaCrypt-traffic.pcap.zip   985.6 kB (985,586 bytes)
• ZIP archive of the artifacts and malware:  2015-12-28-Angler-EK-sends-TeslaCrypt-malware-and-artifacts.zip   421.1 kB (421,071 bytes)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.pro-media.gr - Compromised website
• 85.10.198.133 port 80 - rent-a-lounge.ch - Gate that redirects to Angler EK
• 207.182.133.69 port 80 - muovipussiin.teamproud.org - Angler EK
• myexternalip.com - IP check by the infected host
• 160.153.54.66 port 80 - wonderph.com - TeslaCrypt callback traffic

 

SCREENSHOTS

Shown above:  Today's pcap filtered in Wireshark.

 

Shown above:  Injected script in page from the compromised website.

 

Shown above:  The HTTP GET request for the gate.  It returned an iframe pointing to the Angler EK landing page.
NOTE:  Following the TCP stream in Wireshark won't show the returned text, because it's gzip compressed.

 

Shown above:  Quickly find the decompressed text in Wireshark by selecting the frame with "200 OK" and expanding the "Line-based text data" section.

 

Shown above:  The user's Windows desktop after the TeslaCrypt infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2015-12-28-Angler-EK-sends-TeslaCrypt-traffic.pcap.zip   985.6 kB (985,586 bytes)
• ZIP archive of the artifacts and malware:  2015-12-28-Angler-EK-sends-TeslaCrypt-malware-and-artifacts.zip   421.1 kB (421,071 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.