2016-05-02 - PSEUDO-DARKLEECH ANGLER EK FROM 185.73.221.95 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-02-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap   (3,540,047 bytes)
  • 2016-05-02-CryptXXX-de_crypt_readme.bmp   (2,326,734 bytes)
  • 2016-05-02-CryptXXX-de_crypt_readme.html   (3,315 bytes)
  • 2016-05-02-CryptXXX-de_crypt_readme.txt   (1,638 bytes)
  • 2016-05-02-CryptXXX-ransomware.dll   (223,232 bytes)
  • 2016-05-02-click-fraud-malware.dll   (773,280 bytes)
  • 2016-05-02-page-from-blushdentalstudio.com-with-injected-pseudo-Darkleech-script.txt   (13,095 bytes)
  • 2016-05-02-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,922 bytes)
  • 2016-05-02-pseudo-Darkleech-Angler-EK-landing-page.txt   (91,294 bytes)

 

NOTES:

 


Shown above:  Chain of events for today's infection.

 

TRAFFIC


Shown above:  Pcap of the traffic filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

ASSOCIATED DOMAINS:

TRAFFIC CAUSED BY BEDEP:

TRAFFIC CAUSED BY BEDEP:

TRAFFIC CAUSED BY CLICK-FRAUD MALWARE:

 

IMAGES


Shown above:  Start of pseudo-Darkleech script returned from compromised website.

 


Shown above:  Desktop of the Windows host after the Angler EK/Bedep/CryptXXX infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.