There’s an excellent write up by Brad Duncan in the Internet Storm Center’s Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.
From the article:
On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.
The chain started with a compromised website that generated an admedia gate.
The gate led to Angler EK.
Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.
· 178.62.122.211 – img.belayamorda.info – admedia gate
· 185.46.11.113 – ssd.summerspellman.com – Angler EK
· 192.185.39.64 – clothdiapersexpert.com – TeslaCrypt callback traffic
Source: http://jeffsoh.blogspot.com