2016-02-26 - ANGLER EK FROM 66.225.241.46 SENDS TESLACRYPT

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2016-02-26-Angler-EK-after-hscteam.com.pcap.zip  507,820 bytes (508 kB)
• ZIP archive of the malware and artifacts:  2016-02-26-Angler-EK-and-TeslaCrypt-malware-and-artifacts.zip  448,743 bytes (451 kB)

 

CHAIN OF EVENTS

Shown above:  Today's pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 198.46.81.175 port 80 - www.hscteam.com - Compromised website
• 66.225.241.46 port 80 - goedkooperindalenet.dirsmithbuilders.com - Angler EK
• 185.26.122.59 port 80 - surrogacyandadoption.com - POST /bstr.php   [TeslaCrypt callback traffic]

 

IMAGES

Shown above:  Injected script in page from the compromised site, part 1 of 3.

 

Shown above:  Injected script in page from the compromised site, part 2 of 3.

 

Shown above:  Injected script in page from the compromised site, part 3 of 3.

 

Shown above:  The Windows desktop after Angler EK sent TeslaCrypt.

 

Shown above:  The TeslaCrypt ransomware staying persistent on the infected Windows host.

 

Shown above:  Signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.8.0 on Debian 7.

 

Shown above:  Signature hits from Suricata using the Emerging Threats Pro ruleset on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2016-02-26-Angler-EK-after-hscteam.com.pcap.zip  507,820 bytes (508 kB)
• ZIP archive of the malware and artifacts:  2016-02-26-Angler-EK-and-TeslaCrypt-malware-and-artifacts.zip  448,743 bytes (451 kB)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.