2016-03-01 - ADMEDIA ANGLER EK FROM 188.120.227.14 DELIVERS TESLACRYPT
PCAP AND MALWARE:
- ZIP archive of the PCAP: 2016-03-01-admedia-Angler-EK-after-nowpdp.org.pcap.zip 601.7 kB (601,672 bytes)
- ZIP archive of malware and artifacts: 2016-03-01-admedia-Angler-EK-malware-and-artifacts.zip 451.4 kB (451,375 bytes)
NOTES:
- For more background on "admedia" Angler EK, see the following posts:
- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
- https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
- http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
- https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
- https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/20741
- In today's "admedia" Angler EK infection chain, the compromised site had injected script in the initial webpage. When scrubbing the pcap, I left out any HTTP requests for .js files from the compromised site which also had the injected script.
DETAILS
DATE/TIME: 2016-03-01 15:57 UTC
- www.nowpdp.org - Compromised website
- 93.171.217.56 port 80 - css.klevuiparen.info - "admedia" gate
- 188.120.227.14 port 80 - site.lakewoodcd.com - Angler EK
- 209.126.108.74 port 80 - ricardomendezabogado.com - POST /components/com_imageshow/wstr.php [TeslaCrypt callback]
EXPLOITS/MALWARE:
- 2016-03-01-admedia-Angler-EK-flash-exploit-after-nowpdp.org.swf - 64.0 kB (65,566 bytes) - MD5 hash: aa087258266700bab9aab739042b5bcf
- 2016-03-01-admedia-Angler-EK-payload-TeslaCrypt-after-nowpdp.org.exe - 421.1 kB (431,196 bytes) - MD5 hash: 90f041789a16dfc857cb4ec7008cafc3
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the PCAP: 2016-03-01-admedia-Angler-EK-after-nowpdp.org.pcap.zip 601.7 kB (601,672 bytes)
- ZIP archive of malware and artifacts: 2016-03-01-admedia-Angler-EK-malware-and-artifacts.zip 451.4 kB (451,375 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.