2016-03-02 - ADMEDIA GATE FOR ANGLER EK STATES "HELLORESEARCHER"
PCAP AND MALWARE:
- PCAP of the traffic: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au.pcap 715.3 kB (715,327 bytes)
- ZIP archive of the PCAP: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au.pcap.zip 575.8 kB (575,798 bytes)
- ZIP archive of malware and artifacts: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au-malware-and-artifacts.zip 437.7 kB (437,715 bytes)
NOTES:
- Noted a pattern change in the HTTP GET request for the "admedia" gate. This time, it shows "helloresearcher" in the URL.
- For background on the "admedia" campaign, see the following posts:
- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
- https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
- http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
- https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
- https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/20741
Shown above: "admedia" script injected into the initial HTML page from the compromised website.
DETAILS
Shown above: Today's traffic, filtered in Wireshark. As always, they know we're watching.
DATE/TIME: 2016-03-02 20:57 UTC
- dompetdhuafa.org.au - Compromised site
- 93.171.217.56 port 80 - css.seriosnuiparen.info - "admedia" gate
- 78.24.221.26 port 80 - site.lollapalosers.com - Angler EK
- 73.201.145.1 port 80 - dustinhansenbook.com - POST /wstr.php - [TeslaCrypt post-infection traffic]
EXPLOITS/MALWARE:
- 2016-03-02-admedia-Angler-EK-flash-exploit-after-dompetdhuafa.org.au.swf - 64.0 kB (63,957 bytes) - MD5 hash: f9df1526d25e803b21e3d6f443eeb68e
- 2016-03-02-admedia-Angler-EK-payload-TeslaCrypt-after-dompetdhuafa.org.au.exe - 368.6 kB (368,640 bytes) - MD5 hash: 224f7692f2225f59f5fce710cdfb32d1
FINAL NOTES
Once again, here are the associated files:
- PCAP of the traffic: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au.pcap 715.3 kB (715,327 bytes)
- ZIP archive of the PCAP: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au.pcap.zip 575.8 kB (575,798 bytes)
- ZIP archive of malware and artifacts: 2016-03-02-admedia-Angler-EK-after-dompetdhuafa.org.au-malware-and-artifacts.zip 437.7 kB (437,715 bytes)
The ZIP files are password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.
Click here to return to the main page.