Malware-Traffic-Analysis.net - 2016-04-06 - pseudo-Darkleech Angler EK from 85.143.223.178 sends TeslaCrypt

2016-04-06 - PSEUDO DARKLEECH ANGLER EK FROM 85.143.223.178 SENDS TESLACRYPT

PCAP AND MALWARE:

NOTES:

In today's example, it looks like the Angler EK landing page URL format changed.
Kafeine tweeted about the URL change earlier today at: https://twitter.com/kafeine/status/717733717041672192.
Background on the pseudo-Darkleech campaign can be found here.

2016-04-06-TeslaCrypt-decrypt-instructions-after-pseudo-Darkleech-Angler-EK-after-latchamgallery.ca.txt (2,816 bytes)
2016-04-06-page-from-latchamgallery.ca-with-injected-Darkleech-script.txt (45,306 bytes)
2016-04-06-pseudo-Darkleech-Angler-EK-flash-exploit-after-latchamgallery.ca.swf (37,642 bytes)
2016-04-06-pseudo-Darkleech-Angler-EK-landing-page-after-latchamgallery.ca.txt (217,935 bytes)
2016-04-06-pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-latchamgallery.ca.exe (390,144 bytes)

Shown above: Pcap for this blog entry's traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

85.143.223.178 port 80 - odstac.brewerstreetsoho.uk - Angler EK
72.41.18.212 port 80 - traditions-and-custom.com - POST /strfile.php - TeslaCrypt callback traffic

Shown above: Start of injected pseudo-Darkleech script in page from the compromised website.

Shown above: Decrypt instructions (the text file) caused by the TeslaCrypt ransomware.

Once again, here are the associated files:

The ZIP files are password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.