2016-02-15 - THREE INFECTIONS WITH ANGLER EK SENDING TESLACRYPT

PCAP AND MALWARE:

• ZIP archive of the above three PCAPs:  2016-02-15-all-Angler-EK-pcaps.zip  3.7 MB (3,668,181 bytes)

• ZIP archive of EITest Angler EK malware and artifacts:  2016-02-15-EITest-Angler-EK-malware-and-artifacts.zip  470.3 kB (470,275 bytes)
• ZIP archive of Admedia Angler EK malware and artifacts:  2016-02-15-Admedia-Angler-EK-malware-and-artifacts.zip  530.7 kB (530,725 bytes)
• ZIP archive of other Angler EK malware and artifacts:  2016-02-15-other-Angler-EK-malware-and-artifacts.zip  667.4 kB (667,366 bytes)

 

NOTES:

• All three Angler EK infections delivered TeslaCrypt with different file sizes/hashes but the same post-infection callback URL.
• The first pcap is an example of EITest Angler EK as reported by Malwarebytes here and here.
• The second pcap is an example of Admedia Angler EK as reported by Sucuri here.
• The third pcap has a compromised website with injected script leading directly to Angler EK (no gate).

 

CHAIN OF EVENTS

START TIME OF FIRST PCAP (EITEST ANGLER EK):  2016-02-15 18:10 UTC

• www.rcp-vision.com - Compromised website
• 85.93.0.32 port 80 - zeboms.tk - EITest gate/redirect
• 51.254.51.5 port 80 - one.theleadersummit.com - Angler EK
• 23.229.232.40 port 80 - jecit.ac.in - TelsaCrypt post-infection callback

START TIME OF SECOND PCAP (ADMEDIA ANGLER EK):  2016-02-15 19:12 UTC

• waterfrontsouthgate.com.au - Compromised website
• 178.62.122.211 port 80 - css.chernayamorda.info - Admedia gate/redirect
• 51.254.51.5 port 80 - and.theleadersummit.net - Angler EK
• 23.229.232.40 port 80 - jecit.ac.in - TelsaCrypt post-infection callback

START TIME OF THIRD PCAP (OTHER ANGLER EK):  2016-02-15 20:06 UTC

• www.health-total.com - Compromised website
• 195.128.125.208 port 80 - slokkerigst.ladyhustlelifting.com - Angler EK
• 23.229.232.40 port 80 - jecit.ac.in - TelsaCrypt post-infection callback

 

Shown above:  Traffic from the first pcap (EITest Angler EK) filtered in Wireshark.

Shown above:  Traffic from the second pcap (Admedia Angler EK) filtered in Wireshark.

Shown above:  Traffic from the third pcap (other Angler EK) filtered in Wireshark.

 

FLASH EXPLOITS AND MALWARE PAYLOADS

FLASH EXPLOITS:

File name:  2016-02-15-EITest-Angler-EK-flash-exploit.swf
File size:  64.0 KB (65,553 bytes)
https://www.virustotal.com/en/file/a6a00386284302cd21ab4d647448eee5ff3e58b4c8b46a1949ae449651766b1b/analysis/

File name:  2016-02-15-Admedia-Angler-EK-flash-exploit.swf
File size:  64.4 KB (65,895 bytes)
https://www.virustotal.com/en/file/8ebc70fc2053cdcde648e2e4a6b95d5fe3f0e91afe6353aad2b80f57fca012e1/analysis/

File name:  2016-02-15-Angler-EK-flash-exploit.swf
File size:  80.8 KB (82,750 bytes)
https://www.virustotal.com/en/file/ae2ae9032984beb3093a92155b9df2a077f7213c4b67ae09924d96cae91591ab/analysis/

 

MALWARE PAYLOADS (ALL TESLACRYPT):

File name:  2016-02-15-EITest-Angler-EK-payload-TeslaCrypt.exe
File size:  416.5 KB (426,496 bytes)
https://www.virustotal.com/en/file/8a518224c47b99e7bba9eaca11fad5ef848cad7dbe6fe56b02864c5036c25552/analysis/

File name:  2016-02-15-Admedia-Angler-EK-payload-TeslaCrypt.exe
File size:  418.0 KB (428,032 bytes)
https://www.virustotal.com/en/file/a5fec2ff19af3099052f37a9b57b28edffcb6ab71778a6e3228cb020cde07972/analysis/

File name:  2016-02-15-Angler-EK-payload-TeslaCrypt.exe
File size:  620.0 KB (634,880 bytes)
https://www.virustotal.com/en/file/1e58891d2a807706037c6491065b3fb28b1701567b9b8a9b08fb4e04dd04a02f/analysis/

 

IMAGES

Shown above:  From EITest Angler EK infection - injected script in page from compromised website.

 

Shown above:  From Admedia Angler EK infection - injected script in page from the compromised website.

 

Shown above:  From Admedia Angler EK infection - each .js file from the compromised site has similar injected script appended to it.

 

Shown above:  From Admedia Angler EK infection - the long hexadecimal string in each of the variables translates to an Admedia gate URL.

 

Shown above:  From other Angler EK infection - injected script in page from the compromised website.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above three PCAPs:  2016-02-15-all-Angler-EK-pcaps.zip  3.7 MB (3,668,181 bytes)

• ZIP archive of EITest Angler EK malware and artifacts:  2016-02-15-EITest-Angler-EK-malware-and-artifacts.zip  470.3 kB (470,275 bytes)
• ZIP archive of Admedia Angler EK malware and artifacts:  2016-02-15-Admedia-Angler-EK-malware-and-artifacts.zip  530.7 kB (530,725 bytes)
• ZIP archive of other Angler EK malware and artifacts:  2016-02-15-other-Angler-EK-malware-and-artifacts.zip  667.4 kB (667,366 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.