2016-04-20 - PSEUDO-DARKLEECH ANGLER EK SENDS BEDEP AND CRYPTXXX

ASSOCIATED FILES:

  • 2016-04-19-psuedo-Darkleech-Angler-EK-traffic.pcap   (4,737,274 bytes)
  • 2016-04-20-pseudo-Darkleech-Angler-EK-traffic-first-run.pcap   (184,838 bytes)
  • 2016-04-20-pseudo-Darkleech-Angler-EK-traffic-second-run.pcap   (3,683,146 bytes)
  • 2016-04-19-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script.txt   (95,258 bytes)
  • 2016-04-19-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (40,379 bytes)
  • 2016-04-19-pseudo-Darkleech-Angler-EK-landing-page.txt   (176,068 bytes)
  • 2016-04-20-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script-first-run.txt   (95,092 bytes)
  • 2016-04-20-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script-second-run.txt   (94,862 bytes)
  • 2016-04-20-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,569 bytes)
  • 2016-04-20-pseudo-Darkleech-Angler-EK-landing-page-first-run.txt   (73,356 bytes)
  • 2016-04-20-pseudo-Darkleech-Angler-EK-landing-page-second-run.txt   (73,376 bytes)
  • api-ms-win-system-localui-l1-1-0.dll   (270,336 bytes) - CryptXXX ransomware from 2016-04-20
  • api-ms-win-system-neth-l1-1-0.dll   (266,240 bytes) - CryptXXX ransomware from 2016-04-19
  • de_crypt_readme.bmp   (232,6734 bytes) - CryptXXX decrypt instructions
  • de_crypt_readme.html   (3,315 bytes) - CryptXXX decrypt instructions
  • de_crypt_readme.txt   (1,638 bytes) - CryptXXX decrypt instructions
  • mpr.dll   (344,064 bytes) - Click-fraud malware from 2016-04-20
  • shsetup.dll   (343,040 bytes) - Click-fraud clickfraud malware from 2016-04-19
  •  

    NOTES:

     

    TRAFFIC


    Shown above:  Pcap of the 2016-04-19 traffic filtered in Wireshark.

     


    Shown above:  Pcap of the 2016-04-20 traffic filtered in Wireshark -- First run.

     


    Shown above:  Pcap of the 2016-04-20 traffic filtered in Wireshark -- Second run.

     

    ASSOCIATED DOMAINS:

     

    IMAGES


    Shown above:  An example of the CryptXXX post-infection traffic on 2016-04-20.

     


    Shown above:  Desktop of the infected host after the Angler EK/Bedep/CryptXXX infection on 2016-04-20.

     


    Shown above:  Although the CryptXXX ransomwware deletes itself, the click-fraud malware stays resident on the system.
    This is the click-fraud malware from 2016-04-19 and some associated registry entries.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.