2016-05-31 - PSEUDO-DARKLEECH ANGLER EK FROM 93.170.76.189 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

  • 2016-05-31-pseudoDarkleech-Angler-EK-first-run-on-a-VM.pcap   (6,362,131 bytes)
  • 2016-05-31-pseudoDarkleech-Angler-EK-second-run-on-a-normal-host.pcap   (3,452,711 bytes)
  • 2016-05-31-CryptXXX-decrypt-instructions.bmp   (6,220,854 bytes)
  • 2016-05-31-CryptXXX-decrypt-instructions.html   (5,716 bytes)
  • 2016-05-31-CryptXXX-decrypt-instructions.txt   (989 bytes)
  • 2016-05-31-CryptXXX.dll   (204800 bytes)
  • 2016-05-31-click-fraud-malware.dll   (405,312 bytes)
  • 2016-05-31-page-from-ampmworld-wide.com-with-injected-pseudoDarkleech-script-first-run.txt   (35,347 bytes)
  • 2016-05-31-page-from-ampmworld-wide.com-with-injected-pseudoDarkleech-script-second-run.txt   (41,570 bytes)
  • 2016-05-31-pseudoDarkleech-Angler-EK-flash-exploit-both-runs.swf   (40,817 bytes)
  • 2016-05-31-pseudoDarkleech-Angler-EK-landing-page-first-run.txt   (101,511 bytes)
  • 2016-05-31-pseudoDarkleech-Angler-EK-landing-page-second-run.txt   (101,491 bytes)

 

NOTES:

 


Shown above:  Flow chart for today's infection.

 

TRAFFIC


Shown above:  Pcap of the traffic on a normal host filtered in Wireshark.   http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 


Shown above:  Pcap of the traffic on a VM filtered in Wireshark.

NOTE:  Bedep is very VM-aware, and it won't work properly on a VM, unless you've managed to adequately disguise it.  If not, a Bedep-infected VM will endlessly cycle through HTTP POST requests with different DGA domains and URL patterns.  No CryptXXX, no click-fraud malware, nothing else.  @Kafeine reported recent changes in Bedep behavior back in April 2016 showing how much more VM-aware it has become (link).

 

ANGLER EK:

BEDEP POST-INFECTION TRAFFIC ON A NORMAL HOST:

BEDEP POST-INFECTION TRAFFIC ON A VM:

CRYPT-XXX POST-INFECTION TRAFFIC:

CLICK-FRAUD TRAFFIC BEGINS:

 

IMAGES


Shown above:  Start of pseudo-Darkleech script from the compromised website.

 


Shown above:  Desktop of the Windows host after today's Angler EK/Bedep/CryptXXX infection.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.