2016-04-01 - PSEUDO DARKLEECH ANGLER EK FROM 185.82.216.45 SENDS TESLACRYPT

PCAP AND MALWARE:

• ZIP archive of the pcap:  2016-04-01-psuedo-Darkleech-Angler-EK-after-iteliness.com.mx.pcap.zip  453.4 kB (453,445 bytes)
• ZIP archive of the malware and artifacts:  2016-04-01-psuedo-Darkleech-Angler-EK-malware-and-artifacts.zip  434.0 kB (433,951 bytes)

 

NOTES:

• Background on the pseudo-Darkleech campaign can be found here.
• Decrypt instructions for the TeslaCrypt malware look different again.  What ransomware's instructions is TeslaCrypt ripping off this time?

Shown above:  The infected Windows desktop after today's TeslaCrypt infection.

 

TRAFFIC

Shown above:  Pcap for this blog entry's traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 185.82.216.45 port 80 - berufungsgerichten.prideas.net - Angler EK
• 71.18.247.59 port 80 - pcgfund.com - POST /binfile.php   [TeslaCrypt callback traffic]

 

IMAGES

Shown above:  Start of injected pseudo-Darkleech script in page from the compromised website.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-04-01-psuedo-Darkleech-Angler-EK-after-iteliness.com.mx.pcap.zip  453.4 kB (453,445 bytes)
• ZIP archive of the malware and artifacts:  2016-04-01-psuedo-Darkleech-Angler-EK-malware-and-artifacts.zip  434.0 kB (433,951 bytes)

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.