2016-02-11 - ADMEDIA ANGLER EK FROM 37.46.133[.]10 SENDS TESLACRYPT RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-02-11-Admedia-Angler-EK-sends-TeslaCrypt-ransomware.pcap.zip  763.0 kB (762,952 bytes)
• 2016-02-11-Admedia-Angler-EK-and-TeslaCrypt-ransomware-files.zip  687.0 kB (686,991 bytes)

 

NOTES:

• This is related to a massive Admedia/advertising campaign associated with WordPress sites as reported by Sucuri:

• https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html

 

CHAIN OF EVENTS

Shown above:  Today's pcap filtered in Wireshark.

 

DATE/TIME OF THE INFECTION:  2016-02-11 01:14 UTC

• www.pdcmemphis[.]com - Compromised website
• www.pdcmemphis[.]com - GET /wp-includes/js/wp-emoji-release.min.js?ver=4.3   [.js file with injected script]
• 82.196.10[.]226 port 80 - security.belayadama[.]info - Gate/redirect
• 37.46.133[.]10 port 80 - y.healing-our-deepest-wounds[.]com - Angler EK
• 62.210.92[.]9 port 80 - ladiesdehaan[.]be - TeslaCrypt ransomware callback traffic

 

Shown above:  Desktop from the infected windows host after it was rebooted.

 

Click here to return to the main page.