Angelr EK sends Bedep – TeslaCrypt – No ransom HTML

NOTES:
In this infection chain TeslaCrypt did not install an .html  ransom note. In past infections TeslaCrypt normally sends ransom notes in the form of .html, .png and .txt. It also appears this site was compromised via its control panel, do to the redirect coming from a sub-domain.

 

ASSOCIATED DOMAINS:

  • www.veriu.info – COMPROMISED SITE
  • 78.46.195.163 – ads.veriu.info – GET /veriuads/www/delivery/afr.php? – SUB-DOMAIN REDIRECT TO GATE
  • 85.93.0.34 – forum.kivu.co.uk – EITEST GATE TO ANGLER EK
  • 89.108.83.89 – sick.harrykainth.ca – GET /topic/ – ANGLER EK LANDING PAGE
  • 87.238.192.67 – videoaminproduktion.de – POST /plugins/binstr.php – POST INFECTION TRAFFIC [TeslaCrypt]

IMAGES and DETAILS:

Shown above: Redirect from compromised site sub-domain to redirect gate

 

Shown above: Ransom note in form of .png and .txt

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: