2016-05-23 - PSEUDO-DARKLEECH ANGLER EK FROM 91.134.206.131 SENDS CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-23-pseudo-Darkleech-Angler-EK-sends-CryptXXX-first-run.pcap   (1,279,554 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-sends-CryptXXX-second-run.pcap   (1,247,480 bytes)
  • 2016-05-23-CryptXXX_decrypt-instructions.bmp   (3,686,454 bytes)
  • 2016-05-23-CryptXXX_decrypt-instructions.html   (14,190 bytes)
  • 2016-05-23-CryptXXX_decrypt-instructions.txt   (1,755 bytes)
  • 2016-05-23-page-from-oakfarmsdairy.com-with-injected-pseudoDarkleech-script-first-run.txt   (16,096 bytes)
  • 2016-05-23-page-from-oakfarmsdairy.com-with-injected-pseudoDarkleech-script-second-run.txt   (17,105 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-flash-exploit-vs-flash-20.0.0.306.swf   (66,735 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-flash-exploit-vs-flash-21.0.0.213.swf   (67,574 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-landing-page-first-run.txt   (104,443 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-landing-page-second-run.txt   (104,475 bytes)
  • 2016-05-23-pseudo-Darkleech-Angler-EK-payload-CryptXXX.dll   (311,296 bytes)

 

NOTES:

 


Shown above:  Tweet from last week about today's compromised website.

 


Shown above:  Chain of events for today's infection.

 

TRAFFIC


Shown aboe:  Pcap of the traffic filtered in Wireshark, first run   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 


Shown aboe:  Pcap of the traffic filtered in Wireshark, second run   http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.