Professional Documents
Culture Documents
On Sunday 2016-02-28 at 22:43 UTC, a Windows host was infected with TeslaCrypt
ransomware delivered by Angler exploit kit (EK) after viewing a compromised
website, www[.]mysecretdeals[.]nl during casual web browsing. The compromised
website had injected script from the pseudo-Darkleech campaign [1] that pointed to
the Angler EK.
RECOMMENDED ACTIONS:
Wipe and re-image the Windows host, then have the user restore any documents or
personal items from a data backup.
HOST INFORMATION:
OTHER NOTES:
REFERENCES:
[1] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-
darkleech-to-pseudo-darkleech-and-beyond/
[2]
https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/
20741
IMAGES:
2016-02-28-traffic-analysis-exercise-answers-image-01.jpg
Finding the MAC address and host name for the IP address.
2016-02-28-traffic-analysis-exercise-answers-image-02.jpg
Alerts when running the pcap through Security Onion running the ET Pro ruleset.
This shows Angler EK and TeslaCrypt traffic.
2016-02-28-traffic-analysis-exercise-answers-image-03.jpg
Filter the pcap on the IP address from the Angler EK alerts.
2016-02-28-traffic-analysis-exercise-answers-image-04.jpg
And you can find the referer that caused the Angler EK. This is the compromised
website.
2016-02-28-traffic-analysis-exercise-answers-image-05.jpg
If you export HTTP objects from the pcap...
2016-02-28-traffic-analysis-exercise-answers-image-06.jpg
And select the index page for the compromised website www[.]mysecretdeals[.]nl...
2016-02-28-traffic-analysis-exercise-answers-image-07.jpg
Scroll through the HTML file, and you'll find pseudo-Darkleech script injected just
after the </header> and <body> tags.
2016-02-28-traffic-analysis-exercise-answers-image-08.jpg
Checking on the TeslaCrypt callback traffic from the pcap in Wireshark using the IP
address from the Security Onion alerts.