Angler EK from 89.108.83.14 sends TeslaCrypt – Admedia gate

ASSOCIATED DOMAINS:

  • startline-accounts.com – COMPROMISED WEB SITE
  • 93.171.217.56 – css.zolotcekristina.info /hellomylittlepiggy/ – Admedia gate
  • 89.108.83.14 – vert.bellybaby.co – ANGLER Exploit Kit
  • 62.210.141.228 – imagescroll.com POST POST /cgi-bin/Templates/bstr.php – Post infection traffic [TeslaCrypt]

 

DOMAIN HIJACKING: bellybaby.co

Shown above: belly.co has a subdomain of “vert”. Ping of vert.bellybaby.co resolves to IP address 89.108.83.14. Ping of bellybaby.co resolves to IP address 50.63.202.38.

 

Shown above: IP address 89.108.83.14 in Russia

 

Shown above: IP address 50.63.202.38 in US “Godaddy”

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: