Angler EK from 188.120.226.212 sends TeslaCrypt – admedia

ASSOCIATED DOMAINS:

  • fatihsporsalon.com – COMPROMISED WEB SITE
  • 178.62.92.47 – img.zolotcekatya.info – admedia gate
  • 188.120.226.212 – yap.jeffreymoorepiano.com  –   ANGLER EK
  • 192.185.39.66 – biocarbon.com.ec   POST /wp-content/uploads/bstr.php –post infection traffic [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Firstly I use the http.request command to filter out just http traffic and continue down chain of websites.

 

Shown above: Scrolling down I see a known pattern for “admedia” gate img.zolotcekatya.info followed by yap.jeffreymoorepiano.com

 

fatihsporsalon3Shown above: I begin infection chain analysis by extracting the homepage for examination.  File => Export Objects => HTTP

 

Shown above: I save the extracted file and open with a text editor. Examination revealed a long hexadecimal javascript string. This string was copied and inserted into hex to ascii converter.

 

Shown above: You could see I found the redirect to img.zolotcekatya.info the”admedia” gate.

 

Shown above: Next I scroll down to img.zolotcekatya.info for examination to determine redirect to yap.jeffreymoorepiano.com hosting Angler exploit kit.

 

Shown above: After selecting Follow Stream in wireshark you can see the Referer “fatihsporsalon.com” to “img.zolotcekatya.info”

 

Shown above: Definition of Referer and link to a more detailed article on how it works Wikipedia

 

Shown above: Using the “Follow Stream” in Wireshark I examined img.zolotcekatya.info. Looking at the script you can see the “%” obfuscated javascript and determine it appears to be “admedia”

 

Shown above: Continuing to scroll down I now examine yap.jeffreymoorepiano.com. Examining the referer it was determined the obstructed javascript from img.zolotcekatya.info did cause the redirect.

 

Shown above: Using the extract command I extracted the suspicious flash file “application/x-shockwave-flash” and noted the payload in which it downloaded “application/octet-stream”

 

Shown above: After extracting the flash file and saving it with the “swf” file extension I examined the meta data I extracted using Flare (http://www.nowrap.de/flare.html).

Having previously examined numerous flash meta data provide by Brad Duncan, I determined this file to be the Angler exploit kit (EK). You can see my previous analysis at  http://www.malware-traffic-analysis.net/2016/02/02/index.html.

(NOTE: It now appears Angler when used in conjunction with admedia uses a 2.05×1.05 px.)

 

Shown above: TeslaCrypt post communication with a C2. “bstr.php” is a known URI pattern for TeslaCrypt

 

ADDITIONAL NOTE:

I was unable to extract the TeslaCrypt payload however it was discovered in the Documents folder on the infected computer. You could usually discover the malicious .exe using the Windows msconfig command and looking in Startup.

 

Shown above: Virus Total results for Angler

 

Shown above: Virus Total results for TeslaCrypt

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

HOW DID INFECTION OCCUR:

Shown above: Examination of fatihsporsalon.com index page with a text editor you can see “wp-content” which confirms this website was possibly running an outdated/un-patched version of WordPress allowing for a javascipt injection. This was a drive-by infection to a computer using an outdated flash plugin.