2016-03-08 - PSEUDO-DARKLEECH ANGLER EK FROM 85.143.220.117

PCAP AND MALWARE:

• ZIP archive of the above PCAP:  2016-03-08-pseudo-Darkleech-Angler-EK-after-kidspathwayspeel.com.pcap.zip  567.9 kB (567,908 bytes)
• ZIP archive of malware and artifacts:  2016-03-08-pseudo-Darkleech-Angler-EK-after-kidspathwayspeel.com-malware-and-artifacts.zip  415.9 kB (415,861 bytes)

 

NOTES:

• Today shows a new Angler landing URI structure as reported by Kafeine at: https://twitter.com/kafeine/status/707173851013259264
• For background on the pseudo-Darkleech campaign, see: https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

• www.kidspathwayspeel.com - Compromised site
• 85.143.220.117 port 80 - kardeskenmainwaring.volthouse.co - Angler EK

 

IMAGES

Shown above:  Start of injected pseudo-Darkleech script in page from a compromised web site.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above PCAP:  2016-03-08-pseudo-Darkleech-Angler-EK-after-kidspathwayspeel.com.pcap.zip  567.9 kB (567,908 bytes)
• ZIP archive of malware and artifacts:  2016-03-08-pseudo-Darkleech-Angler-EK-after-kidspathwayspeel.com-malware-and-artifacts.zip  415.9 kB (415,861 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.