2016-03-21 - ANGLER EK DATA DUMP

PCAPS AND MALWARE:

• ZIP archive of all 3 pcaps:  2016-03-21-Angler-EK-data-dump-all-3-pcaps.zip  3.3 MB (3,325,256 bytes)
• ZIP archive of the malware and artifacts:  2016-03-21-Angler-EK-data-dump-malware-and-artifacts.zip  1.3 MB (1,324,133 bytes)

 

ASSOCIATED DOMAINS

ANGLER EK:

• 46.30.45.206 port 80 - abordonar.section75.eu and eeuwenperustamalta.tenerifesolvencyfederation.co.uk   [pseudo-Darkleech]
• 82.146.34.246 port 80 - zxh.voteyourfaith.net   [other]

TESLACRYPT POST-INFECTION TRAFFIC:

• 50.87.127.96 port 80 - mkis.org - POST /phsys.php
• 213.186.33.104 port 80 - tradinbow.com - POST /phsys.php

BEDEP POST-INFECTION DOMAINS:

• 104.193.252.245 port 80 - vqpydhheirk2i.com
• 208.100.26.234 port 80 - mfhmvetuhykurke.com
• 195.22.28.199 port 80 - asozcmwuukrgydmzb.com
• 195.22.28.222 port 80 - sso.anbtr.com
• 195.22.28.196 port 80 - xsso.asozcmwuukrgydmzb.com
• 82.141.230.141 port 80 - mbeovojxluwhanww.com and voscngylqtnjzpe.com

CLICK-FRAUD TRAFFIC AFTER THE BEDEP INFECTION:

• 104.193.252.234 port 80 - lovelyroomsforday.com - GET /ads.php?sid=1826
• 89.163.240.118 port 80 - kjnoa9sdi3mrlsdnfi.com - GET /ads.php?sid=1826
• 89.163.241.90 port 80 - jimmymorisonguitars.com - GET /ads.php?sid=1826
• 85.25.41.95 port 80 - moregoodstafsforus.com - GET /ads.php?sid=1826
• 162.244.32.122 port 80 - daytonamagik.com - GET /ads.php?sid=1826

 

IMAGES

Shown above:  Pcaps for this blog entry's traffic filtered in Wireshark.

 

Shown above:  Start of pseudo-Darkleech injected script in page from first compromised website.

 

Shown above:  Injected script in page from second compromised website.

 

Shown above:  Start of pseudo-Darkleech injected script in page from third compromised website.

 

Shown above:  Decrypt instructions from TeslaCrypt samples.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of all 3 pcaps:  2016-03-21-Angler-EK-data-dump-all-3-pcaps.zip  3.3 MB (3,325,256 bytes)
• ZIP archive of the malware and artifacts:  2016-03-21-Angler-EK-data-dump-malware-and-artifacts.zip  1.3 MB (1,324,133 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.