2016-03-11 - ANGLER EK FROM 91.227.68.180

PCAP AND MALWARE:

• ZIP archive of the malware and artifacts:  2016-03-11-Angler-EK-after-fixwindowsproblems.com.pcap.zip  736.9 kB (736,932 bytes)
• ZIP archive of the malware and artifacts:  2016-03-11-Angler-EK-malware-and-artifacts.zip  383.2 kB (383,215 bytes)

 

NOTES:

• Note the wcspng.php in post-infection traffic from today's TeslaCrypt payload.
• Today's injected script looks like pseudo-Darkleech in early 2015 as described by Sucuri ( link ) before it started getting all tricky and obfuscated later that year ( link ).

Shown above:  Example of the "early Darkleech/pseudo-Darkleech" style injected script in page from compromised site.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.fixwindowsproblems.com - Compromised site
• 46.108.39.60 port 80 - wtuujlt.hopto.org - GET /wordpress/?bf7N&utm_source=le   [gate/redirect]
• 91.227.68.180 port 80 - contrarevolutionary.astimegoesbyinrochester.co.uk - Angler EK
• 185.8.173.29 port 80 - tele-channel.com - POST /wp-admin/maint/wcspng.php   [TeslaCrypt callback traffic]
• 203.124.115.1 port 80 - vtechshop.net - POST /wcspng.php   [TeslaCrypt callback traffic]

Shown above:  Pcap of today's traffic filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the malware and artifacts:  2016-03-11-Angler-EK-after-fixwindowsproblems.com.pcap.zip  736.9 kB (736,932 bytes)
• ZIP archive of the malware and artifacts:  2016-03-11-Angler-EK-malware-and-artifacts.zip  383.2 kB (383,215 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.