2016-06-03 Angler Exploit Kit sends Kronos


NOTES:

 

ASSOCIATED DOMAINS:

  • 85.93.0.72 – zdiore.tk – EITEST GATE
  • 93.115.38.104 – unt8p2.cemitanledhers.xyz – Angler EK LANDING PAGE
  • 46.30.45.9 – BUYCOOLMATTER.INFO POST /X5YofLgo/connect.phpKronos Check-In Command and Control (C2)

 

IMAGES and DETAILS:

Shown above: EITEST gate using the .tk Top Level Domain name and Angler exploit kit landing page using the .xyz (TLD)

 

Shown above: Script on EITEST gate redirecting to the Angler EK landing page

 

Shown above: Kronos post infection traffic check-in to Command and Control using a known URI structure connect.php

 

Shown above: Windows Registry entry associated with Kronos infection

 

Shown above: Kronos executable file details

 

Shown above: Angler Exploit Kit meta data

 

MALICIOUS PAYLOAD FROM ANGLER EK: