2016-04-08 - THREE EXAMPLES OF EK TRAFFIC

PCAPS:

• ZIP archive of the pcaps:  2016-04-08-three-examples-of-EK-traffic.zip   6.8 MB (6,804,239 bytes)

• 2016-04-08-Angler-EK-causes-TeslaCrypt-infection.pcap   2.5 MB (2,451,753 bytes)
• 2016-04-08-Nuclear-EK-causes-Locky-infection.pcap   3.7 MB (3,719,803 bytes)
• 2016-04-08-Rig-EK-infection.pcap   3.0 MB (3,009,007 bytes)

NOTES:

• These pcaps go along with some information for a presentation I'm doing in June 2016 on exploit kit (EK) traffic at SANSFIRE.
• Normally, I edit the pcaps in my blog posts to strip out all unnecessary information, but not for these.
• These three pcaps represent a full infection chain, and they (hopefully) show all the traffic you'd see from full packet capture on a particular IP address.
• These pcaps also have more indicators of compromise (IOCs) than listed below.

 

ASSOCIATED DOMAINS:

• 85.143.218.219 - konstruieren-decisicion.rolynteam.com - Angler EK
• 146.185.133.226 - to.cleitondiasfotografia.com.br - Nuclear EK
• 188.227.19.153 - cd.homeloansmadesimple.co - Rig EK

 

 

FINAL NOTES

Once again, here is the archive:

• ZIP archive of the pcaps:  2016-04-08-three-examples-of-EK-traffic.zip   6.8 MB (6,804,239 bytes)

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.