2016-04-13 - PSEUDO-DARKLEECH ANGLER EK SENDS TESLACRYPT

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-04-13-pseudo-Darkleech-Angler-EK-pcaps.zip   851 kB (851,184 bytes)

• 2016-04-13-malwr.com-analysis-of-TeslaCrypt-sample.pcap   (13,739 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap   (565,073 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-second-run.pcap   (521,905 bytes)

• ZIP archive of the malware and artifacts:  2016-04-13-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   575 kB (575,016 bytes)

• 2016-04-13-page-from-medical-library.net-with-injected-script-first-run.txt   (103,261 bytes)
• 2016-04-13-page-from-medical-library.net-with-injected-script-second-run.txt   (49,371 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-flash-exploit-after-medical-library.net-first-run.swf   (66,575 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-flash-exploit-after-medical-library.net-second-run.swf   (103,261 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-landing-page-after-medical-library.net-first-run.txt   (149,515 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-landing-page-after-medical-library.net-second-run.txt   (149,463 bytes)
• 2016-04-13-pseudo-Darkleech-Angler-EK-payload-TeslaCrypt-after-medical-library.net.exe   (229,376 bytes)
• 2016-04-13-pseudo-Darkleech-script-returned-from-dpvuppocw.hopto.org.txt   (7,261 bytes)
• 2016-04-13-pseudo-Darkleech-script-returned-from-rbedfqo.hopto.org.txt   (7,531 bytes)

NOTES:

• Background on the pseudo-Darkleech campaign can be found here.

• The TeslaCrypt payload didn't appear to execute properly in my lab.  I ran it in a couple of public sandboxes for more information.

• https://malwr.com/analysis/NTBjMTFlNTBiMTU2NDg1NGJjZDkwZjIwYmYxOTVhOWM/.
• https://www.hybrid-analysis.com/sample/9757d0220183b20bc322df98fa1502f191b37934a1a4461be5fd94c96defd817?environmentId=4

 

Shown above:  Pcap of the infection traffic filtered in Wireshark - first run.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark - second run.

 

Shown above:  Pcap from malwr.com's analysis of the payload, showing TeslaCrypt post-infection traffic.

 

ASSOCIATED DOMAINS:

• 83.217.27.178 port 80 - dpvuppocw.hopto.org and rbedfqo.hopto.org - GET /wordpress/?bf7N&utm_source=le   --   gate/redirect to Angler EK
• 212.22.85.152 port 80 - pahlevi.30awineclub.com   --   Angler EK (first run)
• 5.39.32.182 port 80 - mesopotamienbryology.buyclubcar.com   --   Angler EK (second run)
• 74.220.207.112 port 80 - loseweightwithmysite.com - POST /sys_info.php   --   TeslaCrypt callback from malwr.com analysis (site suspended)
• 72.41.18.2 port 80 - helcel.com - POST /sys_init.php   --   TeslaCrypt callback from malwr.com analysis

 

IMAGES

Shown above:  Injected script in page from the compromised website (second run).

 

Shown above:  Start of injected pseudo-Darkleech script returned from the hopto.org gate (second run).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-04-13-pseudo-Darkleech-Angler-EK-pcaps.zip   851 kB (851,184 bytes)
• ZIP archive of the malware and artifacts:  2016-04-13-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   575 kB (575,016 bytes)

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.