2016-02-05 - ANGLER EK FROM 148.251.249.108 SENDS CRYPTOWALL

PCAP AND MALWARE:

• ZIP archive of the above PCAP:  2016-02-05-Angler-EK-sends-CryptoWall-traffic.pcap.zip   843.0 kB (843,001 bytes)
• ZIP archive of the malware and artifacts:  2016-02-05-Angler-EK-and-CryptoWall-malware-and-artifacts.zip   407.1 kB (407,123 bytes)

 

NOTES:

• Parts of the injected script have changed since I last saw Angler EK from this actor on 2016-01-29.

Shown above:  Start of injected script in page from the compromised website.

 

Shown above:  End of injected script in page from the compromised website.

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 178.33.208.103 port 80 - open-sankore.org - Compromised site
• 148.251.249.108 port 80 - woodstockdiary.bikroworkout.com - Angler EK
• 185.67.240.46 port 80 - litatex.com - CryptoWall post-infection traffic
• 212.27.63.153 port 80 - ziusphotographie.free.fr - CryptoWall post-infection traffic
• 81.169.145.161 port 80 - lasaches.com - CryptoWall post-infection traffic
• 207.58.179.240 port 80 - talaf.com - CryptoWall post-infection traffic

 

IMAGES

Shown above:  The desktop of an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above PCAP:  2016-02-05-Angler-EK-sends-CryptoWall-traffic.pcap.zip   843.0 kB (843,001 bytes)
• ZIP archive of the malware and artifacts:  2016-02-05-Angler-EK-and-CryptoWall-malware-and-artifacts.zip   407.1 kB (407,123 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.