2016-04-26 - PSEUDO-DARKLEECH ANGLER EK FROM 85.93.93.166SENDS BEDEP AND CRYPTXXX

ASSOCIATED FILES:

  • 2016-04-26-Bedep-post-infection-8afc49b02429a   (1,279,392 bytes)
  • 2016-04-26-Bedep-post-infection-CryptXXX-ransomware.dll   (250,368 bytes)
  • 2016-04-26-Bedep-post-infection-click-fraud-malware.dll   (369,664 bytes)
  • 2016-04-26-CryptXXX-de_crypt_readme.bmp   (2,326,734 bytes)
  • 2016-04-26-CryptXXX-de_crypt_readme.html   (3,315 bytes)
  • 2016-04-26-CryptXXX-de_crypt_readme.txt   (1,641 bytes)
  • 2016-04-26-page-from-quilty.ca-with-injected-pseudo-Darkleech-script.txt   (35,859 bytes)
  • 2016-04-26-pseudo-Darkleech-Angler-EK-artifacts-from-infected-host.txt   (346 bytes)
  • 2016-04-26-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,900 bytes)
  • 2016-04-26-pseudo-Darkleech-Angler-EK-landing-page.txt   (95,716 bytes)
  •  

    NOTES:

     

    TRAFFIC


    Shown above:  Pcap of the traffic filtered in Wireshark.

     

    ASSOCIATED DOMAINS:

     

    IMAGES


    Shown above:  Start of injected pseudo-Darkleech script in page from the compromised website.

     


    Shown above:  Desktop of the infected host after the Angler EK/Bedep/CryptXXX infection.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.