2016-04-23 - PCAP AND MALWARE FOR AN ISC DIARY I WROTE

ASSOCIATED FILES:

  • 3A1DC4C4719C.dat   (3 bytes)   C:\ProgramData\3A1DC4C4719C.dat   [something related to the click-fraud malware, I think]
  • 8afc49b02429a   (1,279,328 bytes)   C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a   [data downloaded by Bedep]
  • msvcp60.dll   (348,160 bytes)   C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\msvcp60.dll   [Click-fraud malware downloaded by Bedep]
  • de_crypt_readme.bmp   (232,6734 bytes)   [decrypt instructions for the CryptXXX ransomware]
  • de_crypt_readme.html   (3,315 bytes)   [decrypt instructions for the CryptXXX ransomware]
  • de_crypt_readme.txt   (1,638 bytes)   [decrypt instructions for the CryptXXX ransomware]
  • api-ms-win-system-acproxy-l1-1-0.dll   (361,472 bytes)   C:\Users\[username]\AppData\Local\Temp\{F4DD9BAF-BD38-4055-90EE-07C071479B6A}\api-ms-win-system-acproxy-l1-1-0.dll   [CryptXXX ransomware]

 

NOTES:

  • This is Angler EK/Bedep/CryptXXX traffic I recorded on Saturday 2016-04-23 from approximately 02:28 UTC.
  • The associated ISC diary is here.

     

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.