Scribd
Upload
26 views2 pages

2016 02 28 Traffic Analysis Exercise Answers

A Windows host was infected with TeslaCrypt ransomware after visiting a compromised website. The website contained a script that redirected the host to the Angler exploit kit, enabling the ransomware infection. It is recommended to wipe and reimage the infected host after restoring files from backup.

Uploaded by

Bilal Emre Özgün
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
26 views2 pages

2016 02 28 Traffic Analysis Exercise Answers

A Windows host was infected with TeslaCrypt ransomware after visiting a compromised website. The website contained a script that redirected the host to the Angler exploit kit, enabling the ransomware infection. It is recommended to wipe and reimage the infected host after restoring files from backup.

Uploaded by

Bilal Emre Özgün
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

SUMMARY:

On Sunday 2016-02-28 at 22:43 UTC, a Windows host was infected with TeslaCrypt
ransomware delivered by Angler exploit kit (EK) after viewing a compromised
website, www[.]mysecretdeals[.]nl during casual web browsing. The compromised
website had injected script from the pseudo-Darkleech campaign [1] that pointed to
the Angler EK.

RECOMMENDED ACTIONS:

Wipe and re-image the Windows host, then have the user restore any documents or
personal items from a data backup.

HOST INFORMATION:

MAC address: 00:c0:4f:f6:3e:74 (Dell_f6:3e:74)


IP address: 172.16.181.176
Host name: WIN-DJ3W602WC9M

INDICATORS OF COMPROMISE (IOC):

188.121.54.128 - www[.]mysecretdeals[.]nl - Compromised website with pseudo-


Darkleech script
85.143.222.170 - netmakevitelaoversttelsestidspunkt[.]timepassion[.]com - Angler EK
192.185.39.66 - biocarbon[.]com[.]ec - TeslaCrypt post-infection traffic

OTHER NOTES:

- Prior to viewing www[.]mysecretdeals[.]nl, the user viewed misspluss[.]hu. The


missplus[.]hu site was compromised and had injected script related to the admedia
campaign [2]. Traffic went as far as the gate at img[.]zolotcevasunya[.]info but
no EK traffic was noted.

REFERENCES:

[1] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-
darkleech-to-pseudo-darkleech-and-beyond/
[2]
https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/
20741

IMAGES:

2016-02-28-traffic-analysis-exercise-answers-image-01.jpg
Finding the MAC address and host name for the IP address.

2016-02-28-traffic-analysis-exercise-answers-image-02.jpg
Alerts when running the pcap through Security Onion running the ET Pro ruleset.
This shows Angler EK and TeslaCrypt traffic.

2016-02-28-traffic-analysis-exercise-answers-image-03.jpg
Filter the pcap on the IP address from the Angler EK alerts.

2016-02-28-traffic-analysis-exercise-answers-image-04.jpg
And you can find the referer that caused the Angler EK. This is the compromised
website.

2016-02-28-traffic-analysis-exercise-answers-image-05.jpg
If you export HTTP objects from the pcap...
2016-02-28-traffic-analysis-exercise-answers-image-06.jpg
And select the index page for the compromised website www[.]mysecretdeals[.]nl...

2016-02-28-traffic-analysis-exercise-answers-image-07.jpg
Scroll through the HTML file, and you'll find pseudo-Darkleech script injected just
after the </header> and <body> tags.

2016-02-28-traffic-analysis-exercise-answers-image-08.jpg
Checking on the TeslaCrypt callback traffic from the pcap in Wireshark using the IP
address from the Security Onion alerts.

You might also like