2016-04-18 - EITEST AND PSEUDO-DARKLEECH ANGLER EK

ASSOCIATED FILES:

  • 2016-04-18-EITest-Angler-EK-sends-Panda-banker.pcap   (1,034,895 bytes)
  • 2016-04-18-pseudo-Darkleech-Angler-EK-sends-Bedep-and-ransomware.pcap   (4,867,166 bytes)
  • 2016-04-18-injected-EITest-script-in-page-from-compromised-site.txt   (1,096 bytes)
  • 2016-04-18-EITest-flash-file-from-caddea.tk.swf   (15,528 bytes)
  • 2016-04-18-EITest-Angler-EK-landing-page.txt   (174,243 bytes)
  • 2016-04-18-EITest-Angler-EK-flash-exploit.swf   (31,688 bytes)
  • 2016-04-18-EITest-Angler-EK-silverlight-exploit.xap   (169,132 bytes)
  • 2016-04-18-EITest-Angler-EK-extracted-DLL-from-silverlight-exploit-GrmBL2Lnhwx.dll   (209,408 bytes)
  • 2016-04-18-EITest-Angler-EK-payload-Panda-banker.exe   (161,792 bytes)
  • 2016-04-18-page-with-injected-pseudo-Darkleech-script-from-altanticeyephysicians.com.txt   (40,138 bytes)
  • 2016-04-18-pseudo-Darkleech-Angler-EK-landing-page.txt   (174,289 bytes)
  • 2016-04-18-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (40,376 bytes)
  • 2016-04-18-C-Users-username-AppData-Local-Temp-15BA39EC-8171-4EBE-837B-3EDA6605A12-api-ms-win-system-rasadhlp-l1-1-0.dll   (299,008 bytes)
  • 2016-04-18-C-Users-username-AppData-Local-Temp-9D920166-42D4-4F1C-87BD-3353F7993691-api-ms-win-system-recovery-l1-1-0.dll   (299,008 bytes)
  • 2016-04-18-C-ProgramData-9A88E103-A20A-4EA5-8636-C73B709A5BF8-thawbrkr.dll   (358,536 bytes)
  • de_crypt_readme.bmp   (232,6734 bytes)
  • de_crypt_readme.html   (3,315 bytes)
  • de_crypt_readme.txt   (1,641 bytes)

NOTES:

 

TRAFFIC


Shown above:  Pcap of the EITest Angler EK infection traffic filtered in Wireshark.

 


Shown above:  Pcap of the pseudo-Darkleech Angler EK infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Using the EmergingThreats ruleset, I saw alerts for Panda banker malware from the EITest Angler EK traffic.

 


Shown above:  Panda banker malware made persistent on the infected Windows host after the EITest Angler EK traffic.

 


Shown above:  Desktop of the infected Windows host with CryptXXX artifacts after pseudo-Darkleech Angler EK caused the Bedep infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, see the "about" page of this website, or email me and ask.

Click here to return to the main page.