2016-02-12 - TWO INFECTIONS WITH ANGLER EK DELIVERING TESLACRYPT

PCAP AND MALWARE:

• ZIP archive of the above two PCAPs:  2016-02-12-both-Angler-EK-pcaps.zip  2.5 MB (2,516,108 bytes)
• ZIP archive of the malware and artifacts from both infection:  2016-02-12-Angler-EK-and-TelsaCrypt-malware-and-artifacts.zip  1.3 MB (1,268,843 bytes)

 

NOTES:

• Both Angler EK infections delivered TeslaCrypt with the same file size but different file hashes.
• The first pcap is an example of Admedia Angler EK as reported by Sucuri at https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• The second pcap shows a compromised website with injected script leading directly to Angler EK (no gate).  The injected script follows a pattern I've documented in previous blog entries.

 

CHAIN OF EVENTS

DATE/TIME OF FIRST PCAP (ADMEDIA ANGLER EK):  2016-02-12 23:06 UTC

• vipcinegraphy.my - Compromised website
• 37.139.3.85 port 80 - js.goltayamorda.info - Admedia-related gate
• 82.146.33.44 port 80 - roof.bravoincorporated.com - Angler EK
• 185.98.6.107 port 80 - vostorgspa.kz - TeslaCrypt post-infection traffic

 

DATE/TIME OF SECOND PCAP (OTHER ANGLER EK):  2016-02-12 23:15 UTC

• www.askcomputers.ca - Compromised website
• 185.49.68.113 port 80 - xfoobartoernblo.play-english-game.com - Angler EK
• 185.98.6.107 port 80 - vostorgspa.kz - TeslaCrypt post-infection traffic

 

Shown above:  Injected script in page from www.askcomputers.ca.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above two PCAPs:  2016-02-12-both-Angler-EK-pcaps.zip  2.5 MB (2,516,108 bytes)
• ZIP archive of the malware and artifacts from both infection:  2016-02-12-Angler-EK-and-TelsaCrypt-malware-and-artifacts.zip  1.3 MB (1,268,843 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.