2016-02-19 - ADMEDIA ANGLER EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-02-19-Admedia-Angler-EK-dump-5-pcaps.zip  3.7 MB (3,655,219 bytes)
• 2016-02-19-Admedia-Angler-EK-dump-malware-and-artifacts.zip  1.7 MB (1,684,597 bytes)

 

NOTES:

• For more background on "admedia" Angler EK, see the following posts:

• https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
• https://www.malwarebytes.com/blog/news/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign
• https://www.malwarebytes.com/blog/news/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek
• https://isc.sans.edu/diary/Angler+exploit+kit+generated+by+admedia+gates/20741

• In all of today's "admedia" Angler EK infection chains, the compromised sites have injected script in the initial webpage.  When scrubbing the pcaps, I left out all HTTP requests for .js files from the compromised sites (which also have injected script), so I could get this out faster.

 

Shown above:  An example of injected script in pages from the compromised websites.

 

DETAILS

2016-02-19 17:19 UTC:

• davidnavia[.]com - Compromised website
• 46.101.17[.]191 port 80 - zxc.yasyka4lyamahochy[.]info - "admedia" gate
• 185.46.11[.]117 port 80 - tete.foodmateusa[.]com - Angler EK
• 108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware callback traffic

2016-02-19 17:28 UTC:

• www.alcomedicalservices[.]com - Compromised website
• 178.62.122[.]211 port 80 - css.belayamorda[.]info - "admedia" gate
• 185.46.11[.]117 port 80 - zuz.laperladeamerica[.]co - Angler EK
• 108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware callback traffic
• 103.27.60[.]14 port 80 - dongxinh[.]com - TeslaCrypt ransomware callback traffic
• 160.153.76[.]161 port 80 - iglesiaelrenacer[.]com - TeslaCrypt ransomware callback traffic

2016-02-19 17:34 UTC (no payload sent):

• divine-impressions-prophetic-art[.]com - Compromised website
• 178.62.122[.]211 port 80 - js.sinyayamorda[.]info - "admedia" gate
• 185.46.11[.]117 port 80 - zuz.laperladeamerica[.]co - Angler EK

2016-02-19 17:50 UTC:

• pyxisfinancial[.]com - Compromised website
• 178.62.122[.]211 port 80 - img.chernayamorda[.]info - "admedia" gate
• 185.46.11[.]117 port 80 - zuz.laperladeamerica[.]co - Angler EK
• 108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware callback traffic

2016-02-19 17:59 UTC:

• sangilinforma[.]com - Compromised website
• 46.101.17[.]191 port 80 - qwe.yasyka2lyamahochy[.]info - "admedia" gate
• 185.46.11[.]117 port 80 - zuz.laperladeamerica[.]co - Angler EK
• 108.174.112[.]194 port 80 - dustywinslow[.]com - TeslaCrypt ransomware callback traffic
• 103.27.60[.]14 port 80 - dongxinh[.]com - TeslaCrypt ransomware callback traffic

EXPLOITS AND MALWARE:

(read: MD5 hash   file name)

• 77733c582887592dbdbef50d8c6fbbca   2016-02-19-Admedia-Angler-EK-payload-TeslaCrypt-ransomware-after-alcomedicalservices_com.exe
• 77733c582887592dbdbef50d8c6fbbca   2016-02-19-Admedia-Angler-EK-payload-TeslaCrypt-ransomware-after-davidnavia_com.exe
• 77733c582887592dbdbef50d8c6fbbca   2016-02-19-Admedia-Angler-EK-payload-TeslaCrypt-ransomware-after-pyxisfinancial_com.exe
• 77733c582887592dbdbef50d8c6fbbca   2016-02-19-Admedia-Angler-EK-payload-TeslaCrypt-ransomware-after-sangilinforma_com.exe

• 3beef5abb528ca22bc9e8a5986e6f8e2  2016-02-19-Admedia-Angler-EK-flash-exploit-after-alcomedicalservices_com.swf
• 3beef5abb528ca22bc9e8a5986e6f8e2  2016-02-19-Admedia-Angler-EK-flash-exploit-after-davidnavia_com.swf
• e0388b4b3d29ed43c6075bf32aefda59  2016-02-19-Admedia-Angler-EK-flash-exploit-after-divine-impressions-prophetic-art_com.swf
• 3beef5abb528ca22bc9e8a5986e6f8e2  2016-02-19-Admedia-Angler-EK-flash-exploit-after-pyxisfinancial_com.swf
• 3beef5abb528ca22bc9e8a5986e6f8e2  2016-02-19-Admedia-Angler-EK-flash-exploit-after-sangilinforma_com.swf

SUMMARY OF THE "ADMEDIA" GATES FROM THESE PCAPS:

• 46.101.17[.]191 port 80 - qwe.yasyka2lyamahochy[.]info - "admedia" gate
• 46.101.17[.]191 port 80 - zxc.yasyka4lyamahochy[.]info - "admedia" gate
• 178.62.122[.]211 port 80 - css.belayamorda[.]info - "admedia" gate
• 178.62.122[.]211 port 80 - js.sinyayamorda[.]info - "admedia" gate
• 178.62.122[.]211 port 80 - img.chernayamorda[.]info - "admedia" gate

SUMMARY OF THE ANGLER EK FROM THESE PCAPS:

• 185.46.11[.]117 port 80 - tete.foodmateusa[.]com - Angler EK
• 185.46.11[.]117 port 80 - zuz.laperladeamerica[.]co - Angler EK

 

Click here to return to the main page.