2016-04-29 - ANGLER AND NEUTRINO EK DATA DUMP

ASSOCIATED FILES:

NOTES:

There's too much to write about in detail for each of the pcaps.  Today's post has four pcaps with EITest Angler EK (a different payload each time), two pcaps with pseudo-Darkleech Angler EK sending Bedep/CryptXXX, and two pcaps with Neutrino EK sending something else.   You'll have to review the pcaps for details.

Two other items...

ITEM 1:  The past day or two, I've seen a few examples of injected pseudo-Darkleech script point to .eu domains, but they don't go anywhere.  Why?  Because the domain is not resolved in DNS.  Here's an example:

Whenever I've seen pseudo-Darkleech script generate a URL with an .eu domain, it never works.  And the URLs using those .eu domains look a little like Neutrino EK.  I can't say if they actually are Neutrino EK, though.  I suppose I'll figure it out if those domains ever start resolving.

 

ITEM 2:  In today's two Angler EK/Bedep/CryptXXX infections, svchost.exe was dropped in the same folder with the CryptXXX .dll.  For example:

That svchost.exe is actually rundll32.exe.  It's a legitimate Windows file (VirusTotal link).  But in this case, it's being used to load the CryptXXX .dll file.  I got an error during today's first CryptXXX infection on a 64-bit Windows host.  I didn't see an error during the second infection on a 32-bit host.

In both cases, the CryptXXX .dll file wasn't deleted like it normally is.  Except for TCP port 443 callback traffic associated with CryptXXX, I didn't find any other signs of CryptXXX on the two infected hosts.  The click-fraud traffic normally seen after Bedep still seemed normal, though.

 

CONTENTS OF TODAY'S ZIP ARCHIVES

EIGHT PCAPS IN THE PCAP ARCHIVE:

ITEMS IN THE MALWARE AND ARTIFACTS ZIP ARCHIVE:

 

TRAFFIC

ASSOCIATED DOMAINS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.