Angler Exploit sends Bedep, TeslaCrypt Ransomware and Andromedia
ASSOCIATED DOMAINS:
- 80.87.194.218 – behave.nualias.com – GET /ed/n/084/ – Angler EK LANDING PAGE
- 104.73.195.113 – www.ecb.europa.eu – Bedep CONNECTION CHECK
- 198.105.244.228 – iednxjurmcz2x.com – POST /forum.php – Bedep POST INFECTION TRAFFIC
- 195.22.28.199 – ebcqpcqdbli44.com – POST /include/database_error_page.html – Bedep POST INFECTION TRAFFIC
- 208.100.26.234 – jdgrbwdcfzpcllt0.com – POST /content.php – Bedep POST INFECTION TRAFFIC
- 82.141.230.141 – hmkkzfwjbpym.com – POST /include/class_dm_blog_rate.php – Bedep POST INFECTION TRAFFIC
- 104.193.252.245 – POST /showpost.php – Bedep POST INFECTION TRAFFIC
- 72.41.18.2 – helcel.com – POST /sys_init.php – TeslaCrypt POST INFECTION TRAFFIC
- 171.35.182.56 – dom.altincopps.com – POST /dom/tasks.php – Andromedia POST
- INFECTION TRAFFIC
- 103.234.36.148 – GET /domand789.exe – Andromedia POST INFECTION TRAFFIC
- 162.221.183.108 – GET /m/795473.zip – POST INFECTION TRAFFIC
- 162.221.183.108 – GET /m/1721863.zip – POST INFECTION TRAFFIC
- 162.221.183.108 – GET /m/257725.zip – POST INFECTION TRAFFIC
- 162.221.183.108 – GET /m/043828.zip – POST INFECTION TRAFFIC
- 162.221.183.108 – GET /m/143426.zip – POST INFECTION TRAFFIC
- 162.221.183.108 – POST /test.php – POST INFECTION TRAFFIC
- 107.155.99.135 – domand.altincopps.com – POST /domand/gate.php – Andromedia POST INFECTION TRAFFIC
- 217.23.15.136 – GET/ – POST INFECTION TRAFFIC
IMAGES and DETAILS:
Shown above: Injected iframe in compromised site index page redirecting to Angler exploit landing page
Shown above: Angler Exploit Kit landing page
Shown above: Packet 3860 shows Angler exploiting flash and packet 4913 shows payload masked as a shockwave-flash file
Shown above: Packet 4913 shows payload masked as shockwave-flash file
Shown above: Bedep post infection traffic
Shown above: Andromedia post infection traffic
Shown above: TeslaCrypt ransom note
EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 2016-04-15-Angler-EK.swf
Virus Total Link - 2016-04-15-Bedep.dll
Virus Total Link - 2016-04-15-TeslaCrypt.exe
Virus Total Link - 2016-04-15-WMPRWISE.EXE
Virus Total Link
Malrwr Download - 2016-04-15-yptimcs.exe
Virus Total Link
Malrwr Download - 2016-04-15-write.exe
Virus Total Link
Malrwr Download
UPDATED POST INFECTION ARTIFACTS:
- se1923ar32.exe
Malwr Download - se1935zz3332.exe
Malwr Download - seiafs1z432.exe
Malwr Download - seifsy2132s.exe
Malwr Download - senewsys32.exe
Malwr Download - senewzbys32.exe
Malwr Download - seznick322.exe
Malwr Download - sysae6w6azbys32.exe
Malwr Download