2016-04-23 - PCAP AND MALWARE FOR AN ISC DIARY I WROTE

ASSOCIATED FILES:

• ZIP archive of the traffc:  2016-04-23-pcap-for-ISC-diary.pcap.zip  3.9 MB (3,853,560 bytes)
• ZIP archive of the malware and artifacts:  2016-04-23-malware-and-artifacts-for-ISC-diary.zip  1.8 MB (1,825,202 bytes)

• 3A1DC4C4719C.dat   (3 bytes)   C:\ProgramData\3A1DC4C4719C.dat   [something related to the click-fraud malware, I think]
• 8afc49b02429a   (1,279,328 bytes)   C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a   [data downloaded by Bedep]
• msvcp60.dll   (348,160 bytes)   C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\msvcp60.dll   [Click-fraud malware downloaded by Bedep]

• de_crypt_readme.bmp   (232,6734 bytes)   [decrypt instructions for the CryptXXX ransomware]
• de_crypt_readme.html   (3,315 bytes)   [decrypt instructions for the CryptXXX ransomware]
• de_crypt_readme.txt   (1,638 bytes)   [decrypt instructions for the CryptXXX ransomware]
• api-ms-win-system-acproxy-l1-1-0.dll   (361,472 bytes)   C:\Users\[username]\AppData\Local\Temp\{F4DD9BAF-BD38-4055-90EE-07C071479B6A}\api-ms-win-system-acproxy-l1-1-0.dll   [CryptXXX ransomware]

 

NOTES:

This is Angler EK/Bedep/CryptXXX traffic I recorded on Saturday 2016-04-23 from approximately 02:28 UTC.

The associated ISC diary is here.

 

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.