2016-03-21 - ANGLER EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-03-21-Angler-EK-data-dump-3-pcaps.zip  3.3 MB (3,325,668 bytes)
• 2016-03-21-Angler-EK-data-dump-malware-and-artifacts.zip  1.3 MB (1,325,705 bytes)

 

ASSOCIATED DOMAINS

ANGLER EK:

• 46.30.45[.]206 port 80 - abordonar.section75[.]eu and eeuwenperustamalta.tenerifesolvencyfederation[.]co[.]uk   [pseudo-Darkleech]
• 82.146.34[.]246 port 80 - zxh.voteyourfaith[.]net   [other]

TESLACRYPT POST-INFECTION TRAFFIC:

• 50.87.127[.]96 port 80 - mkis[.]org - POST /phsys.php
• 213.186.33[.]104 port 80 - tradinbow[.]com - POST /phsys.php

BEDEP POST-INFECTION DOMAINS:

• 104.193.252[.]245 port 80 - vqpydhheirk2i[.]com
• 208.100.26[.]234 port 80 - mfhmvetuhykurke[.]com
• 195.22.28[.]199 port 80 - asozcmwuukrgydmzb[.]com
• 195.22.28[.]222 port 80 - sso.anbtr[.]com
• 195.22.28[.]196 port 80 - xsso.asozcmwuukrgydmzb[.]com
• 82.141.230[.]141 port 80 - mbeovojxluwhanww[.]com and voscngylqtnjzpe[.]com

CLICK-FRAUD TRAFFIC AFTER THE BEDEP INFECTION:

• 104.193.252[.]234 port 80 - lovelyroomsforday[.]com - GET /ads.php?sid=1826
• 89.163.240[.]118 port 80 - kjnoa9sdi3mrlsdnfi[.]com - GET /ads.php?sid=1826
• 89.163.241[.]90 port 80 - jimmymorisonguitars[.]com - GET /ads.php?sid=1826
• 85.25.41[.]95 port 80 - moregoodstafsforus[.]com - GET /ads.php?sid=1826
• 162.244.32[.]122 port 80 - daytonamagik[.]com - GET /ads.php?sid=1826

 

IMAGES

Shown above:  Traffic from the infections filtered in Wireshark.

 

Shown above:  Start of pseudo-Darkleech injected script in page from first compromised website.

 

Shown above:  Injected script in page from second compromised website.

 

Shown above:  Start of pseudo-Darkleech injected script in page from third compromised website.

 

Shown above:  Decrypt instructions from TeslaCrypt ransomware samples.

 

Click here to return to the main page.