2016-03-02 - ANGLER EK SENDS TESLACRYPT

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2016-03-02-Angler-EK-after-kiwitemplates.com.pcap.zip  1.4 MB (1,369,696 bytes)
• ZIP archive of malware and artifacts:  2016-03-02-Angler-EK-after-kiwitemplates.com-artifacts-and-malware.zip  503.0 kB (503,019 bytes)

 

NOTES:

• Today's compromised website had pseudo-Darkleech injected script in the initial webpage.  It also had "admedia" script in many of the .js files.
• There are two instances of Angler EK in this pcap: one caused by the pseudo-Darkleech script, and one caused by the "admedia" script.

• For background on the pseudo-Darkleech campaign, see: https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html

• For background on the "admedia" campaign, see the following posts:

• https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
• http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
• https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
• https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/20741

Shown above:  Start of the pseudo-Darkleech script in the initial page from the compromised website.

 

Shown above:  An example of the "admedia" script appended onto many of the .js files from the compromised website..

 

DETAILS

Shown above:  Today's traffic, filtered in Wireshark.

DATE/TIME:  2016-03-02 16:59 UTC

• www.kiwitemplates.com - Compromised website
• 185.46.8.131 port 80 - vuotando-tdiff.nyraclub.com - Angler EK (from pseudo-Darkleech script)
• 194.228.3.204 port 80 - opravnatramvaji.cz - POST /modules/mod_search/wstr.php [TeslaCrypt callback]

• 93.171.217.56 port 80 - img.zolotcekatya.info - "admedia" gate
• 185.46.11.205 port 80 - gil.noglutendairysugar.com - Angler EK (from "admedia" gate)

 

EXPLOITS/MALWARE:

• 2016-03-02-pseudo-Darkleech-Angler-EK-flash-exploit-after-kiwitemplates.com.swf - 64.6 kB (64,642 bytes) - MD5 hash: 9475b5b270d8d336dde4c72aeef5ddf4
• 2016-03-02-pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-kiwitemplates.com.exe - 322.0 kB (322,048 bytes) - MD5 hash: c2224f9512dd2cadc59f177ff7b6fd2f

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2016-03-02-Angler-EK-after-kiwitemplates.com.pcap.zip  1.4 MB (1,369,696 bytes)
• ZIP archive of malware and artifacts:  2016-03-02-Angler-EK-after-kiwitemplates.com-artifacts-and-malware.zip  503.0 kB (503,019 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.