2016-03-18 - ANGLER EK DATA DUMP
PCAPS AND MALWARE:
- ZIP archive of all 3 pcaps: 2016-03-18-Angler-EK-data-dump-all-3-pcaps.zip 2.7 MB (2,725,071 bytes)
- ZIP archive of the malware and artifacts: 2016-03-18-Angler-EK-data-dump-artifacts-and-malware.zip 1.5 MB (1,480,352 bytes)
ASSOCIATED DOMAINS
ANGLER EK:
- 82.146.38.171 port 80 - 161.averoncapital.info - Angler EK [other from 2016-03-17]
- 185.46.11.192 port 80 - ub.bespokebeta.info - Angler EK [other from 2016-03-18]
- 85.25.79.102 port 80 - tietokoneestakaan.psiclonegames.co.uk - Angler EK [pseudo-Darkleech from 2016-03-18]
TESLACRYPT POST-INFECTION FROM 2016-03-17:
- 174.136.12.119 port 80 - esbook.com - POST /phsys.php
- 66.147.244.86 port 80 - hmgame.net - POST /phsys.php
- 104.128.239.91 port 80 - shampooherbal.com - POST /phsys.php
TESLACRYPT POST-INFECTION FROM 2016-03-18:
- 108.167.185.237 port 80 - resumosdenovela.net - POST /phsys.php
IMAGES
Shown above: Pcaps for this blog entry's traffic filtered in Wireshark.
Shown above: Injected script in page from compromised website on 2016-03-17.
Shown above: Injected script in page from compromised website on 2016-03-18.
Shown above: Start of pseudo-Darkleech injected script in page from compromised website on 2016-03-18.
Shown above: Decrypt instructions from TeslaCrypt samples on 2016-03-18.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of all 3 pcaps: 2016-03-18-Angler-EK-data-dump-all-3-pcaps.zip 2.7 MB (2,725,071 bytes)
- ZIP archive of the malware and artifacts: 2016-03-18-Angler-EK-data-dump-artifacts-and-malware.zip 1.5 MB (1,480,352 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.