2016-03-15 - ANGLER EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-03-15-Angler-EK-data-dump-4-pcaps.zip  2.6 MB (2,583,090 bytes)
• 2016-03-15-Angler-EK-data-dump-malware-and-artifacts.zip  1.5 MB (1,483,045 bytes)

 

NOTES:

• Compromised site from the first pcap also sent a .js file with injected script from the "admedia" campaign (follow-up HTTP traffic didn't get past the gate).

• For background on the pseudo-Darkleech campaign, see: https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html

• For background on the "admedia" campaign, see:

• https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• https://www.malwarebytes.com/blog/news/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign
• https://www.malwarebytes.com/blog/news/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek
• https://isc.sans.edu/diary/Angler+exploit+kit+generated+by+admedia+gates/20741

 

ASSOCIATED DOMAINS

GATES:

• 188.166.149[.]53 port 80 - stat.gdegetumoyadyra[.]info   [admedia, but didn't get past the gate]

ANGLER EK:

• 80.78.253[.]28 port 80 - athericeravirgilia.garage-door-repair-sf-bay-area-sac[.]com   [pseudo-Darkleech]
• 89.108.83[.]41 port 80 - heals.marijuanaformedicalprofessionals[.]com   [other]
• 95.215.108[.]88 port 80 - apostrophes.garagedoor-minneapolis[.]com   [pseudo-Darkleech]

POST-INFECTION FROM THE TESLACRYPT RANSOMWARE:

• 107.180.50[.]183 port 80 - emmy2015[.]com - POST /strbin.php
• 107.180.50[.]210 port 80 - nlhomegarden[.]com - POST /strbin.php

 

 

IMAGES

Shown above:  Traffic from the infections filtered in Wireshark.

 

Shown above:  Injected script in page from first compromised site.

 

Shown above:  Start of injected pseudo-Darkleech script in page from second compromised site.

 

Shown above:  Start of injected pseudo-Darkleech script in page from third compromised site.

 

Shown above:  Decrypt instructions from today's TeslaCrypt ransomware samples.

 

Click here to return to the main page.