2016-04-08 - THREE EXAMPLES OF EXPLOIT KIT (EK) TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-04-08-three-examples-of-EK-traffic.zip   6.8 MB (6,804,239 bytes)

• 2016-04-08-Angler-EK-sends-TeslaCrypt-ransomware.pcap   2.5 MB (2,451,753 bytes)
• 2016-04-08-Nuclear-EK-sends-Locky-ransomware.pcap   3.7 MB (3,719,803 bytes)
• 2016-04-08-Rig-EK-traffic.pcap   3.0 MB (3,009,007 bytes)

NOTES:

• These pcaps go along with some information for a presentation I'm doing in June 2016 on exploit kit (EK) traffic at SANSFIRE 2016.
• Normally, I edit the pcaps in my blog posts to strip out all unnecessary information, but not for these.
• These three pcaps represent a full infection chain, and they (hopefully) show all the traffic you'd see from full packet capture on a particular IP address.

 

ASSOCIATED DOMAINS:

• 85.143.218[.]219 - konstruieren-decisicion.rolynteam[.]com - Angler EK traffic
• 146.185.133[.]226 - to.cleitondiasfotografia[.]com[.]br - Nuclear EK traffic
• 188.227.19[.]153 - cd.homeloansmadesimple[.]co - Rig EK traffic

• Note: The above is not a complete list of indicators from the pcaps.

 

Click here to return to the main page.