Angler EK infection chain – with PCAP avaliable for download

PCAP file of the infection traffic:
2016-03-25-porter-dursal-net.pcap

ASSOCIATED DOMAINS:

  • www.thestkittsnevisobserver.com – COMPROMISED SITE
  • 89.108.83.89 – porter.dursal.net – GET /topic/ – ANGLER EK LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CHECK
  • 87.238.192.67 – videoaminproduktion.de – POST /plugins/binstr.phpPOST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Compromised site index page using wireshark http.request filter

 

Shown above: Extraction of compromised site index page using wireshark File => Export Objects => HTTP. Save as .html file for analysis with text editor.

 

Shown above: Analysis of compromised site index page in text editor shows iframe injection redirecting to Angler EK landing page

 

Shown above: Scanning for GET requests in pcap file looking for Angler EK “GET /topic/ ” signature or traffic pattern. Also shows referer redirect from compromised site to Angler EK landing page initiated by iframe redirect.

 

Shown above: Extraction of flash exploit for examination

 

Shown above: TeslaCrypt ransom note without .html file

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: