Angler EK from 213.159.208.251 sends TeslaCrypt Ransomware

ASSOCIATED DOMAINS:

  • 213.159.208.251 – sister.elevapeelixirsandemporium.net – GET /topic/ – Angler landing page
  • 71.18.247.59 – pcgfund.com POST /binfile.php – Post Infection Traffic [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Referer from compromised site to Angler landing page sister.elevapeelixirsandemporium.net

 

Shown above: Index page from compromised site shows iframe injection redirecting to Angler landing page

 

Shown above: Packet 4883 shows Angler flash exploit and its payload delivery via octet-stream at packet 5962

 

Shown above: Highlighted area shows TeslaCrypt post infection traffic to C2 with new URI structure /binfile.php

 

Shown above: TeslaCrypt ransom note

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 29d395e5c46611b03c1adaf6dd1dd232 – 2016-04-01-sister-elevapeelixirsandemporium-net-Angler-ek.swf
    Virus Total Link
  • 8e92b1e9d53112bebc4d760625a4514a – 2016-04-01-sister-elevapeelixirsandemporium-net-Bedep.dll
    Virus Total Link
  • 63fce83451fe7fc783c66290285aac74 – 2016-04-01-sister-elevapeelixirsandemporium-net-TeslaCrypt.exe
    Virus Total Link