2016-03-28 - PSEUDO-DARKLEECH ANGLER EK FROM 185.46.10.230
PCAP AND MALWARE:
- ZIP archive with PCAP of the traffic: 2016-03-28-pseudo-Darkleech-Angler-EK-after-jacobwirth.com.pcap.zip 581.9 kB (581,875 bytes)
- ZIP archive of the malware and artifacts: 2016-03-28-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 482.8 kB (482,794 bytes)
NOTES:
- I wrote a blog for Unit 42 about recent developments in the pseudo-Darkleech campaign (link here).
- The Flash exploit from this traffic was sent against Flash Player 20.0.0.306, which Kafeine already noted this past weekend (link here).
- Looks like TeslaCrypt is now copying its style of decrypt instructions from Locky (see images below).
TRAFFIC
- 185.46.10.230 port 80 - fromr-schuttersveld.nybanklawfirm.com - Angler EK
- 23.229.240.164 port 80 - drlarrybenovitz.com - POST /qhcka/templates/binarystings.php [TeslaCrypt post-infection traffic]
IMAGES
Shown above: Start of pseudo-Darkleech injected script in page from compromised site.
Shown above: Angler EK sends exploit against Flash Player version 20.0.0.306.
Shown above: Emerging Threats signatures triggered for TeslaCrypt on the post-infection traffic.
Shown above: Talos signatures also triggered for TeslaCrypt on the post-infection traffic.
Shown above: The style of the decrypt instructions now looks like what I've seen for Locky ransomware (but it's still TeslaCrypt).
Shown above: Going to the decrypt instructions and getting a captcha.
Shown above: Final page to make your bitcoin payment for the ransom.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive with PCAP of the traffic: 2016-03-28-pseudo-Darkleech-Angler-EK-after-jacobwirth.com.pcap.zip 581.9 kB (581,875 bytes)
- ZIP archive of the malware and artifacts: 2016-03-28-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 482.8 kB (482,794 bytes)
The ZIP files are password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.
Click here to return to the main page.