2016-05-09 - PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-09-pseudo-Darkleech-Angler-EK-on-a-VM.pcap   (780,111 bytes)
  • 2016-05-09-pseudo-Darkleech-Angler-EK-on-a-normal-host-sends-Bedep-CryptXXX.pcap   (4,114,289 bytes)
  • 2016-05-09-CryptXXX-decrypt-instructions.bmp   (2,023,254 bytes)
  • 2016-05-09-CryptXXX-decrypt-instructions.html   (14,193 bytes)
  • 2016-05-09-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
  • 2016-05-09-CryptXXX-ransomware.dll   (266,240 bytes)
  • 2016-05-09-click-fraud-malware.dll   (910,496 bytes)
  • 2016-05-09-page-from-justmyvegas.com-with-pseudo-Darkleech-script.txt   (16,848 bytes)
  • 2016-05-09-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,870 bytes)
  • 2016-05-09-pseudo-Darkleech-Angler-EK-landing-page.txt   (169,412 bytes)

 

NOTES:

 


Shown above:  Chain of events for today's infection.

 

TRAFFIC


Shown above:  Pcap of the traffic on a normal host filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 


Shown above:  Pcap of the traffic on a VM filtered in Wireshark.   It's good up through the first Bedep post-infection traffic on 82.141.230.141.
After that, Bedep acts differently.  You'll see Bedep contacting 95.211.205.228 after Bedep detects it's running on a VM, and it will download different malware.
As usual, no CryptXXX when doing the Angler EK/Bedep infection with a VM, and any click-fraud traffic is a ruse.
@Kafeine discusses this recent change in Bedep behavior here.

 

ASSOCIATED DOMAINS:

TRAFFIC CAUSED BY BEDEP:

TRAFFIC CAUSED BY CRYPTXXX:

TRAFFIC CAUSED BY CLICK-FRAUD MALWARE:

 

IMAGES


Shown above:  Start of pseudo-Darkleech script returned from compromised website.

 


Shown above:  Desktop of the Windows host after today's Angler EK/Bedep/CryptXXX infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.