Malware-Traffic-Analysis.net - 2016-02-18

2016-02-18 - ANGLER EK DATA DUMP

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-02-18 19:40 UTC:

www.batasnatin[.]com - Compromised site
91.219.236[.]133 port 80 - klientene-spanwijd.str8firefarms[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 19:48 UTC:

www.pepiusa[.]com - Compromised site
91.219.236[.]133 port 80 - klientene-spanwijd.str8firefarms[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 19:55 UTC

anticruelty[.]org - Compromised site
178.62.122[.]211 port 80 - css.belayamorda[.]info - Admedia gate
185.46.11[.]114 port 80 - de.aacon-crete[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback
103.27.60[.]14 port 80 - dongxinh[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 21:25 UTC:

emco-williams[.]com - Compromised site
85.93.0[.]32 port 80 - 14s.syte4[.]com - EITest gate
80.87.201[.]26 port 80 - type.jennymilam[.]info - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 21:37 UTC:

www.burnsharris[.]com - Compromised site
195.128.125[.]187 port 80 - ddebry.murderedoutclothing[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 21:45 UTC:

www.strategiccs[.]org - Compromised site
195.128.125[.]187 port 80 - ddebry.murderedoutclothing[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

2016-02-18 21:53 UTC:

www.rimex[.]com - Compromised site
91.219.236[.]133 port 80 - sacrificing-1romeuf.540tutor[.]com - Angler EK
108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware post-infection callback

ANGLER EK FROM THE ABOVE PCAP FILES:

ANGLER EK PAYLOAD - TESLACRYPT RANSOMWARE (MD5 hash - file name):

05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-ransomware-after-burnsharris_com.exe
05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-ransomware-after-rimex_com.exe
05a08edc0563ec9bc691a0b1abcccb5a - 2016-02-18-Angler-EK-payload-TeslaCrypt-ransomware-after-strageticcs_org.exe
5080413aa7e033dfe4d93c27162770c3 - 2016-02-18-Admedia-Angler-EK-payload-TeslaCrypt-ransomware-after-anticruelty_org.exe
6fda5dbac0edb8380007cb8f53c85c9f - 2016-02-18-Angler-EK-payload-TeslaCrypt-ransomware-after-batasnatin_com.exe
6fda5dbac0edb8380007cb8f53c85c9f - 2016-02-18-Angler-EK-payload-TeslaCrypt-ransomware-after-pepiusa_com.exe
ac5942f452e1e3cfdeaf7673b0646d48 - 2016-02-18-EITest-Angler-EK-payload-TeslaCrypt-ransomware-after-emco-williams_com.exe

FLASH EXPLOITS (MD5 hash - file name):

3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK--flash-exploit-after-rimex_com.swf
3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK-flash-exploit-after-batasnatin_com.swf
3b08cd536d0e7c55a85ede0b9e6a5f2a - 2016-02-18-Angler-EK-flash-exploit-after-burnsharris_com.swf
6028c0e05e1e57e410a0d1b48f9c448f - 2016-02-18-Angler-EK-flash-exploit-after-pepiusa_com.swf
6028c0e05e1e57e410a0d1b48f9c448f - 2016-02-18-Angler-EK-flash-exploit-after-strageticcs_org.swf
7a0e71a38019d8cf449f8329aeb69075 - 2016-02-18-Admedia-Angler-EK--flash-exploit-after-anticruelty_org.swf
7a0e71a38019d8cf449f8329aeb69075 - 2016-02-18-EITest-Angler-EK-flash-exploit-after-emco-williams_com.swf

Click here to return to the main page.