2016-02-11 - ADMEDIA ANGLER EK FROM 37.46.133.10 SENDS TESLACRYPT
PCAP AND MALWARE:
- ZIP archive of the above two PCAPs: 2016-02-11-Admedia-Angler-EK-traffic.pcap.zip 762.9 kB (762,912 bytes)
- ZIP archive of the malware and artifacts: 2016-02-11-Admedia-Angler-EK-malware-and-artifacts.zip 685.7 kB (685,743 bytes)
NOTES:
- This is related to a massive Admedia/advertising campaign associated with WordPress sites as reported by Sucuri:
CHAIN OF EVENTS
Shown above: Today's pcap filtered in Wireshark.
DATE/TIME OF THE INFECTION: 2016-02-11 01:14 UTC
- www.pdcmemphis.com - Compromised website
- www.pdcmemphis.com - GET /wp-includes/js/wp-emoji-release.min.js?ver=4.3 [.js file with injected script]
- 82.196.10.226 port 80 - security.belayadama.info - Gate/redirect
- 37.46.133.10 port 80 - y.healing-our-deepest-wounds.com - Angler EK
- 62.210.92.9 port 80 - ladiesdehaan.be - TeslaCrypt callback traffic
Shown above: Desktop from the infected windows host after it was rebooted.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the above two PCAPs: 2016-02-11-Admedia-Angler-EK-traffic.pcap.zip 762.9 kB (762,912 bytes)
- ZIP archive of the malware and artifacts: 2016-02-11-Admedia-Angler-EK-malware-and-artifacts.zip 685.7 kB (685,743 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.