2016-03-15 - ANGLER EK DATA DUMP

PCAP AND MALWARE:

• ZIP archive of all 4 pcaps:  2016-03-15-Angler-EK-data-dump-all-4-pcaps.zip  2.6 MB (2,582,572 bytes)
• ZIP archive of the malware and artifacts:  2016-03-15-Angler-EK-data-dump-malware-and-artifacts.zip  1.5 MB (1,480,815 bytes)

 

NOTES:

• Compromised site from the first pcap also sent a .js file with injected script from the "admedia" campaign (follow-up HTTP traffic didn't get past the gate).

• For background on the pseudo-Darkleech campaign, see: https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html

• For background on the "admedia" campaign, see:

• https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
• http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
• https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
• https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/20741

 

ASSOCIATED DOMAINS

GATES:

• 188.166.149.53 port 80 - stat.gdegetumoyadyra.info   [admedia, but didn't get past the gate]

ANGLER EK:

• 80.78.253.28 port 80 - athericeravirgilia.garage-door-repair-sf-bay-area-sac.com   [pseudo-Darkleech]
• 89.108.83.41 port 80 - heals.marijuanaformedicalprofessionals.com   [other]
• 95.215.108.88 port 80 - apostrophes.garagedoor-minneapolis.com   [pseudo-Darkleech]

POST-INFECTION FROM THE TESLACRYPT:

• 107.180.50.183 port 80 - emmy2015.com - POST /strbin.php
• 107.180.50.210 port 80 - nlhomegarden.com - POST /strbin.php

 

 

IMAGES

Shown above:  Pcaps of today's traffic filtered in Wireshark.

 

Shown above:  Injected script in page from first compromised site.

 

Shown above:  Start of injected pseudo-Darkleech script in page from second compromised site.

 

Shown above:  Start of injected pseudo-Darkleech script in page from third compromised site.

 

Shown above:  Decrypt instructions from today's TeslaCrypt malware samples.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of all 4 pcaps:  2016-03-15-Angler-EK-data-dump-all-4-pcaps.zip  2.6 MB (2,582,572 bytes)
• ZIP archive of the malware and artifacts:  2016-03-15-Angler-EK-data-dump-malware-and-artifacts.zip  1.5 MB (1,480,815 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.