Angler EK from 18.104.22.168 sends TeslaCrypt – admedia
- fatihsporsalon.com – COMPROMISED WEB SITE
- 22.214.171.124 – img.zolotcekatya.info – admedia gate
- 126.96.36.199 – yap.jeffreymoorepiano.com – ANGLER EK
- 188.8.131.52 – biocarbon.com.ec POST /wp-content/uploads/bstr.php –post infection traffic [TeslaCrypt]
IMAGES and DETAILS:
Shown above: Definition of Referer and link to a more detailed article on how it works Wikipedia
Shown above: After extracting the flash file and saving it with the “swf” file extension I examined the meta data I extracted using Flare (http://www.nowrap.de/flare.html).
Having previously examined numerous flash meta data provide by Brad Duncan, I determined this file to be the Angler exploit kit (EK). You can see my previous analysis at http://www.malware-traffic-analysis.net/2016/02/02/index.html.
(NOTE: It now appears Angler when used in conjunction with admedia uses a 2.05×1.05 px.)
I was unable to extract the TeslaCrypt payload however it was discovered in the Documents folder on the infected computer. You could usually discover the malicious .exe using the Windows msconfig command and looking in Startup.
MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 1b9f35357e9282de8ba526ce86a21b00 – 02-28-2016-angler2.swf
Virus Total Link
- 7adf521839cdec9e9dbde58214f39444 – 02-28-2016-teslacrypt2
Virus Total Link
HOW DID INFECTION OCCUR:
Shown above: Examination of fatihsporsalon.com index page with a text editor you can see “wp-content” which confirms this website was possibly running an outdated/un-patched version of WordPress allowing for a javascipt injection. This was a drive-by infection to a computer using an outdated flash plugin.