2016-05-12 - PSEUDO-DARKLEECH ANGLER EK FROM 69.162.126.171 SENDS CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX.pcap   (1,080,228 bytes)
  • 2016-05-12-CryptXXX-decrypt-instructions.bmp   (368,6454 bytes)
  • 2016-05-12-CryptXXX-decrypt-instructions.html   (14,190 bytes)
  • 2016-05-12-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
  • 2016-05-12-page-from-itsocialtech.com-with-injected-pseudo-Darkleech-script.txt   (92,707 bytes)
  • 2016-05-12-pseudo-Darkleech-Angler-EK-CryptXXX-ransomware.dll   (247,296 bytes)
  • 2016-05-12-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,811 bytes)
  • 2016-05-12-pseudo-Darkleech-Angler-EK-landing-page.txt   (95,516 bytes)

 

NOTES:

 


Shown aboe:  Chain of eents for today's infection.

 

TRAFFIC


Shown aboe:  Pcap of the traffic on a normal host filtered in Wireshark.   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown aboe:  Start of injected pseudo-Darkleech script from the compromised website.

 


Shown aboe:  Somewhere in the middle of injected pseudo-Darkleech script from the compromised website.

 


Shown aboe:  End of injected pseudo-Darkleech script from the compromised website.

 


Shown aboe:  Lock screen from the Windows host after today's Angler EK/CryptXXX infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.


Copyright © 2016 | Malware-Traffic-Analysis.net