2016-02-12 - TWO INFECTIONS WITH ANGLER EK DELIVERING TESLACRYPT RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-02-12-Angler-EK-sends-TeslaCrypt-ransomware-2-pcaps.zip  2.5 MB (2,516,590 bytes)
• 2016-02-12-Angler-EK-and-TelsaCrypt-ransomware-files.zip  1.3 MB (1,270,075 bytes)

 

NOTES:

• Both Angler EK infections delivered TeslaCrypt ransomware with the same file size but different file hashes.
• The first pcap is an example of Admedia Angler EK as reported by Sucuri at https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• The second pcap shows a compromised website with injected script leading directly to Angler EK (no gate).  The injected script follows a pattern I've documented in previous blog entries.

 

CHAIN OF EVENTS

DATE/TIME OF FIRST PCAP (ADMEDIA ANGLER EK):  2016-02-12 23:06 UTC

• vipcinegraphy[.]my - Compromised website
• 37.139.3[.]85 port 80 - js.goltayamorda[.]info - Admedia-related gate
• 82.146.33[.]44 port 80 - roof.bravoincorporated[.]com - Angler EK
• 185.98.6[.]107 port 80 - vostorgspa[.]kz - TeslaCrypt ransomware post-infection traffic

 

DATE/TIME OF SECOND PCAP (OTHER ANGLER EK):  2016-02-12 23:15 UTC

• www.askcomputers[.]ca - Compromised website
• 185.49.68[.]113 port 80 - xfoobartoernblo.play-english-game[.]com - Angler EK
• 185.98.6[.]107 port 80 - vostorgspa[.]kz - TeslaCrypt ransomware post-infection traffic

 

Shown above:  Injected script in page from www.askcomputers[.]ca.

 

Click here to return to the main page.