Malware-Traffic-Analysis.net - 2016-02-18

2016-02-18 - ANGLER EK DATA DUMP

PCAP AND MALWARE:

ZIP archive of all PCAPs: 2016-02-18-Angler-EK-dump-all-pcaps.zip 6.4 MB (6,422,171 bytes)
ZIP archive of malware and artifacts: 2016-02-18-Angler-EK-dump-malware-and-artifacts.zip 2.8 MB (2,801,109 bytes)

2016-02-18 19:40 UTC:

www.batasnatin.com - Compromised site
91.219.236.133 port 80 - klientene-spanwijd.str8firefarms.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

2016-02-18 19:48 UTC:

www.pepiusa.com - Compromised site
91.219.236.133 port 80 - klientene-spanwijd.str8firefarms.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

2016-02-18 19:55 UTC

anticruelty.org - Compromised site
178.62.122.211 port 80 - css.belayamorda.info - Admedia gate
185.46.11.114 port 80 - de.aacon-crete.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback
103.27.60.14 port 80 - dongxinh.com - TeslaCrypt post-infection callback

2016-02-18 21:25 UTC:

emco-williams.com - Compromised site
85.93.0.32 port 80 - 14s.syte4.com - EITest gate
80.87.201.26 port 80 - type.jennymilam.info - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

2016-02-18 21:37 UTC:

www.burnsharris.com - Compromised site
195.128.125.187 port 80 - ddebry.murderedoutclothing.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

2016-02-18 21:45 UTC:

www.strategiccs.org - Compromised site
195.128.125.187 port 80 - ddebry.murderedoutclothing.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

2016-02-18 21:53 UTC:

www.rimex.com - Compromised site
91.219.236.133 port 80 - sacrificing-1romeuf.540tutor.com - Angler EK
108.174.112.194 port 80 - dustywinslow.com - TeslaCrypt post-infection callback

ANGLER EK FROM THE ABOVE PCAP FILES:

ANGLER EK PAYLOAD - TESLACRYPT (MD5 hash - file name):

05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-after-burnsharris.com.exe
05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-after-rimex.com.exe
05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-after-strageticcs.org.exe
5080413aa7e033dfe4d93c27162770c3 - 2016-02-18-Admedia-Angler-EK-payload-TeslaCrypt-after-anticruelty.org.exe
6fda5dbac0edb8380007cb8f53c85c9f - 2016-02-18-Angler-EK-payload-TeslaCrypt-after-batasnatin.com.exe
6fda5dbac0edb8380007cb8f53c85c9f - 2016-02-18-Angler-EK-payload-TeslaCrypt-after-pepiusa.com.exe
ac5942f452e1e3cfdeaf7673b0646d48 - 2016-02-18-EITest-Angler-EK-payload-TeslaCrypt-after-emco-williams.com.exe

FLASH EXPLOITS (MD5 hash - file name):

3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK--flash-exploit-after-rimex.com.swf
3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK-flash-exploit-after-batasnatin.com.swf
3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK-flash-exploit-after-burnsharris.com.swf
6028c0e05e1e57e410a0d1b48f9c448f - 2016-02-18-Angler-EK-flash-exploit-after-pepiusa.com.swf
6028c0e05e1e57e410a0d1b48f9c448f - 2016-02-18-Angler-EK-flash-exploit-after-strageticcs.org.swf
7a0e71a38019d8cf449f8329aeb69075 - 2016-02-18-Admedia-Angler-EK--flash-exploit-after-anticruelty.org.swf
7a0e71a38019d8cf449f8329aeb69075 - 2016-02-18-EITest-Angler-EK-flash-exploit-after-emco-williams.com.swf

Once again, here are the associated files:

ZIP archive of all PCAPs: 2016-02-18-Angler-EK-dump-all-pcaps.zip 6.4 MB (6,422,171 bytes)
ZIP archive of malware and artifacts: 2016-02-18-Angler-EK-dump-malware-and-artifacts.zip 2.8 MB (2,801,109 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.