2016-05-05 - NEUTRINO EK/CERBER AND ANGLER EK/BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-05-EITest-Neutrino-EK-sends-Cerber.pcap   (602,657 bytes)
  • 2016-05-05-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap   (2,896,363 bytes)
  • 2016-05-05-Cerber-DECRYPT_MY_FILES.html   (12,579 bytes)
  • 2016-05-05-Cerber-DECRYPT_MY_FILES.txt   (11,247 bytes)
  • 2016-05-05-Cerber-DECRYPT_MY_FILES.vbs   (204 bytes)
  • 2016-05-05-CryptXXX-de_crypt_readme.bmp   (2,326,734 bytes)
  • 2016-05-05-CryptXXX-de_crypt_readme.html   (3,315 bytes)
  • 2016-05-05-CryptXXX-de_crypt_readme.txt   (1,638 bytes)
  • 2016-05-05-CryptXXX-ransomware.dll   (488,448 bytes)
  • 2016-05-05-EITest-Neutrino-EK-flash-exploit.swf   (71,047 bytes)
  • 2016-05-05-EITest-Neutrino-EK-landing-page.txt   (897 bytes)
  • 2016-05-05-EITest-Neutrino-EK-payload-Cerber.exe   (464,896 bytes)
  • 2016-05-05-EITest-flash-file-from-newswii.tk.swf   (15,596 bytes)
  • 2016-05-05-click-fraud-malware.dll   (319,648 bytes)
  • 2016-05-05-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,818 bytes)
  • 2016-05-05-pseudo-Darkleech-Angler-EK-landing-page.txt   (66,350 bytes)
  • 2016-05-05-pseudo-Darkllech-script-in-page-from-photobookcanada.com.txt   (163,187 bytes)

 

NOTES:

 


Shown above:  Chain of events for today's infections.

 

TRAFFIC


Shown above:  Pcap of the pseudo-Darkleech example filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 


Shown above:  Pcap of the EITest example filtered in Wireshark.

 

ASSOCIATED DOMAINS

FIRST INFECTION - PSEUDO-DARKLEECH ANGLER EK SENDS BEDEP/CRYPTXXX:

 

SECOND INFECTION - EITEST NEUTRINO EK SENDS CERBER:

 

IMAGES


Shown above:  Windows desktop after psuedo-Darkleech Angler EK sent Bedep/CryptXXX.

 


Shown above:  Windows desktop after infecting it with Cerber sent by today's EITest Neutrino EK.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.