2016-04-22 - PSEUDO-DARKLEECH ANGLER EK FROM 192.169.189.151 SENDS BEDEP/CRYPTXXX
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-04-22-pseudo-Darkleech-Angler-EK-traffic.pcap.zip 5.5 MB (5,483,927 bytes)
- ZIP archive of the malware and artifacts: 2016-04-22-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 1.9 MB (1,940,011 bytes)
- 2016-04-22-CryptXXX-de_crypt_readme.bmp (232,6734 bytes)
- 2016-04-22-CryptXXX-de_crypt_readme.html (3,315 bytes)
- 2016-04-22-CryptXXX-de_crypt_readme.txt (1,638 bytes)
- 2016-04-22-CryptXXX-ransomware.dll (356,352 bytes)
- 2016-04-22-click-fraud-malware-retreived-by-Bedep.dll (342,528 bytes)
- 2016-04-22-file-in-same-directory-as-click-fraud-DLL-8afc49b02429a (1,279,328 bytes)
- 2016-04-22-page-from-whitenmysmilenow.com-with-injected-pseudo-Darkleech-script.txt (171,507 bytes)
- 2016-04-22-pseudo-Darkleech-Angler-EK-flash-exploit.swf (40,370 bytes)
- 2016-04-22-pseudo-Darkleech-Angler-EK-landing-page.txt (69,086 bytes)
NOTES:
- Proofpoint's blog pose about CryptXXX ransomware and how Angler EK and Bedep are being used to spread it can be found here.
- Background on the pseudo-Darkleech campaign can be found here.
- To clarify, Angler EK sends Bedep. Bedep then grabs CryptXXX and click-fraud malware (and anything else Bedep does).
Shown above: @BeibesMalwareGuy earlier today, letting me know about some Angler EK he found.
TRAFFIC
Shown above: Pcap of the traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- 192.169.189.151 port 80 - lastblankuttaenot.realityshowforyou.com - Angler EK
- 104.193.252.241 port 80 - qrwzoxcjatynejejsz.com - Bedep post-infection activity, to include downloading CryptXXX ransomware and click-fraud malware
- 217.23.6.40 port 443 - CryptXXX ransomware callback traffic
- 95.211.205.218 port 80 - tedgeroatref.com - GET /ads.php?sid=1957 [traffic from the click-fraud malware]
- 93.190.141.27 port 80 - cetinhechinhis.com - GET /adsc.php?sid=1957 [traffic from the click-fraud malware]
- 207.182.148.92 port 80 - allofuslikesforums.com - GET /ads.php?sid=1957 [traffic from the click-fraud malware]
- 162.244.34.11 port 80 - tonthishessici.com - GET /ads.php?sid=1957 [traffic from the click-fraud malware]
- 104.193.252.236 port 80 - rerobloketbo.com - GET /ads.php?sid=1957 [traffic from the click-fraud malware]
ARTIFACTS FROM THE INFECTED HOST
CRYPTXXX RANSOMWARE:
- C:\Users\[username]\AppData\Local\Temp\{A18A2245-4284-46C4-BCD0-5F3F83934EC6}\appmgr60.dll
- C:\Users\[username]\AppData\Local\Temp\{A21138D4-B418-4825-B9A9-97DEF76AAEF3}\api-ms-win-system-scksp-l1-1-0.dll
- C:\Users\[username]\AppData\Local\Temp\{BF095D8C-615E-44F3-84D3-BE145BD5F625}\api-ms-win-system-FntCache-l1-1-0.dll
CLICK-FRAUD ARTIFACT AND MALWARE:
- C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a [artifact]
- C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\shsetup.dll [malware]
REGISTRY KEYS ASSOCIATED WITH THE CLICK-FRAUD MALWARE:
- HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
- HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
VALUES FOR THE ABOVE 3 REGISTRY KEYS (NAME TYPE DATA):
- (Default) REG_SZ C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\shsetup.dll
- ThreadingModel REG_SZ Apartment
IMAGES
Shown above: Start of injected pseudo-Darkleech script in page from the compromised website.
Shown above: The infected desktop after being hit with Angler EK sending Bedep, then Bedep grabbing CryptXXX.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-04-22-pseudo-Darkleech-Angler-EK-traffic.pcap.zip 5.5 MB (5,483,927 bytes)
- ZIP archive of the malware and artifacts: 2016-04-22-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 1.9 MB (1,940,011 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.