2016-04-28 - PSEUDO-DARKLEECH ANGLER EK FROM 92.222.67.38 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap   (2,040,185 bytes)
  • 2016-04-28-8afc49b02429a   (262,368 bytes)
  • 2016-04-28-CryptXXX-de_crypt_readme.bmp   (3,102,294 bytes)
  • 2016-04-28-CryptXXX-de_crypt_readme.html   (3,315 bytes)
  • 2016-04-28-CryptXXX-de_crypt_readme.txt   (1,638 bytes)
  • 2016-04-28-CryptXXX-ransomware.dll   (266,240 bytes)
  • 2016-04-28-artifacts.txt   (285 bytes)
  • 2016-04-28-click-fraud-malware.dll   (347,296 bytes)
  • 2016-04-28-page-from-promobag.pl-with-injected-pseudo-Darkleech-script.txt   (43,052 bytes)
  • 2016-04-28-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,918 bytes)
  • 2016-04-28-pseudo-Darkleech-Angler-EK-landing-page.txt   (69,729 bytes)

 

NOTES:

 

TRAFFIC


Shown above:  Pcap of traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Injected pseudo-Darkleech script in page from the compromised website.

 


Shown above:  Desktop of the first infected Windows host after Angler EK sent Bedep and CryptXXX.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.