2016-05-11 - ANGLER EK: TWO CAMPAIGNS, FOUR PCAPS

ASSOCIATED FILES:

  • 2016-05-10-EITest-Angler-EK-sends-Panda-banker.pcap   (1,577,060 bytes)
  • 2016-05-10-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap   (3,935,424 bytes)
  • 2016-05-11-EITest-Angler-EK-sends-Panda-banker.pcap   (1,330,338 bytes)
  • 2016-05-11-pseudo-Darkleech-Angler-EK-sends-CryptXXX.pcap   (1,218,541 bytes)
  • 2016-05-10-CryptXXX-decrypt-instructions.bmp   (2,023,254 bytes)
  • 2016-05-10-CryptXXX-decrypt-instructions.html   (14,190 bytes)
  • 2016-05-10-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
  • 2016-05-10-CryptXXX-ransomware.dll   (303,104 bytes)
  • 2016-05-10-EITest-Angler-EK-flash-exploit.swf   (54,442 bytes)
  • 2016-05-10-EITest-Angler-EK-landing-page.txt   (67,896 bytes)
  • 2016-05-10-EITest-Angler-EK-payload-panda-banker.exe   (527,872 bytes)
  • 2016-05-10-EITest-Angler-EK-silverlight-exploit.zip   (169,132 bytes)
  • 2016-05-10-EITest-flash-redirector-from-nzersef.tk.swf   (15,495 bytes)
  • 2016-05-10-click-fraud-malware.dll   (908,448 bytes)
  • 2016-05-10-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,910 bytes)
  • 2016-05-10-pseudo-Darkleech-Angler-EK-landing-page.txt   (67,918 bytes)
  • 2016-05-11-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
  • 2016-05-11-CryptXXX-decrypt-instructions.html   (14,190 bytes)
  • 2016-05-11-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
  • 2016-05-11-CryptXXX-ransomware.dll   (243,200 bytes)
  • 2016-05-11-EITest-Angler-EK-flash-exploit.swf   (54,448 bytes)
  • 2016-05-11-EITest-Angler-EK-landing-page.txt   (67,852 bytes)
  • 2016-05-11-EITest-Angler-EK-payload-panda-banker.exe   (451,072 bytes)
  • 2016-05-11-EITest-Angler-EK-silverlight-exploit.zip   (169,132 bytes)
  • 2016-05-11-EITest-flash-redirector-from-kogojo.tk.swf   (15,495 bytes)
  • 2016-05-11-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,914 bytes)
  • 2016-05-11-pseudo-Darkleech-Angler-EK-landing-page.txt   (67,934 bytes)

 

BACKGROUND:

 

CRYPTXXX NOTES:

2016-05-10 (YESTERDAY) ANGLER EK --> BEDEP --> CRYPTXXX:

  • C:\Users\[username]\AppData\Local\Temp\{602851EB-C432-4D0E-96F9-61DC616687E8}\api-ms-win-system-shsetup-l1-1-0.dll   [CryptXXX]
  • C:\Users\[username]\AppData\Local\Temp\{602851EB-C432-4D0E-96F9-61DC616687E8}\svchost.exe   [runDLL32.exe]
  • C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vfnws.dll   [click-fraud malware]

2016-05-11 (TODAY) ANGLER EK --> CRYPTXXX (NO BEDEP):

  • C:\Users\[username]\AppData\Local\Temp\2CE.tmp.dll   [CryptXXX]
  • C:\Users\[username]\AppData\Local\Temp\svchost.exe   [runDLL32.exe]

 


Shown above:  There was a lock screen preventing me from accessing the desktop on the infected Windows host.

 


Shown above:  Animated gif showing the last line cycling through different colors.

 


Shown above:  The infected Windows host after I rebooted it.

 

PSEUDO-DARKLEECH TRAFFIC


Shown above:  Pcap of the traffic from Tuesday 2016-05-10 filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 


Shown above:  Pcap of the traffic from Wednesday 2016-05-11 filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 

SOME OF THE ASSOCIATED DOMAINS:

 

NOTES FOR THE EITEST ANGLER EK

The EITest Angler EK traffic sent Panda Banker malware.  Characteristics of the malware from both days are similar, and I saw EmergingThreats events for Panda Banker caused by this malware.

 


Shown above:  Malware from the Tuesday 2016-05-10 EITest Angler EK infection.

 


Shown above:  Some post-infection alerts after the 2016-05-10 EITest Angler EK.

 


Shown above:  Malware from the Wednesday 2016-05-11 EITest Angler EK infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.