2016-04-22 - PSEUDO-DARKLEECH ANGLER EK FROM 192.169.189.151 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-04-22-CryptXXX-de_crypt_readme.bmp   (232,6734 bytes)
  • 2016-04-22-CryptXXX-de_crypt_readme.html   (3,315 bytes)
  • 2016-04-22-CryptXXX-de_crypt_readme.txt   (1,638 bytes)
  • 2016-04-22-CryptXXX-ransomware.dll   (356,352 bytes)
  • 2016-04-22-click-fraud-malware-retreived-by-Bedep.dll   (342,528 bytes)
  • 2016-04-22-file-in-same-directory-as-click-fraud-DLL-8afc49b02429a   (1,279,328 bytes)
  • 2016-04-22-page-from-whitenmysmilenow.com-with-injected-pseudo-Darkleech-script.txt   (171,507 bytes)
  • 2016-04-22-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (40,370 bytes)
  • 2016-04-22-pseudo-Darkleech-Angler-EK-landing-page.txt   (69,086 bytes)

 

NOTES:

 


Shown above:  @BeibesMalwareGuy earlier today, letting me know about some Angler EK he found.

 

TRAFFIC


Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

ARTIFACTS FROM THE INFECTED HOST

CRYPTXXX RANSOMWARE:

 

CLICK-FRAUD ARTIFACT AND MALWARE:

 

REGISTRY KEYS ASSOCIATED WITH THE CLICK-FRAUD MALWARE:

 

VALUES FOR THE ABOVE 3 REGISTRY KEYS (NAME TYPE DATA):

 

IMAGES


Shown above:  Start of injected pseudo-Darkleech script in page from the compromised website.

 


Shown above:  The infected desktop after being hit with Angler EK sending Bedep, then Bedep grabbing CryptXXX.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.