Angler Exploit sends TeslaCrypt – Payload delivery application/zip

ASSOCIATED DOMAINS:

  • 185.46.11.14 – spell.elevapeelixirsandemporium.com – ANGLER LANDING PAGE
  • 23.63.179.235 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
  • 198.105.244.228 – BEDEP POST INFECTION TRAFFIC
  • 208.100.26.234 – BEDEP POST INFECTION TRAFFIC
  • 104.193.252.245 – BEDEP POST INFECTION TRAFFIC
  • 217.70.180.150 – hotcasinogames.org – POST /binfile.phpPOST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Wireshark http.request filter shows compromised site Referer to Angler landing page

 

Shown above: Bedep post infection traffic to randomly generated domain names

 

Shown above: Packet 3627 Angler flash exploit. Packet 4866 shows payload delivery masked as zip file

 

Shown above: Angler flash exploit from packet 3627

 

Show above: Packet 4866 showing content type masked as application/zip. If this was a true zip file the first two characters would be PK

 

Shown above: TeslaCrypt post infection traffic to C2 using binfile.php URI

 

Shown above: TeslaCrypt ransom note

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: