Malware-Traffic-Analysis.net - 2016-04-26 - pseudo-Darkleech Angler EK from 85.93.93.166 sends Bedep and CryptXXX

2016-04-26 - PSEUDO-DARKLEECH ANGLER EK FROM 85.93.93.166SENDS BEDEP AND CRYPTXXX

ASSOCIATED FILES:

ZIP archive of the pcap: 2016-04-26-pseudo-Darkleech-Angler-EK-sends-Bedep-and-CryptXXX.pcap.zip 3.0 MB (3,049,169 bytes)

ZIP archive of the malware and artifacts: 2016-04-26-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 684.3 kB (684,256 bytes)

2016-04-26-Bedep-post-infection-8afc49b02429a (1,279,392 bytes)

2016-04-26-Bedep-post-infection-CryptXXX-ransomware.dll (250,368 bytes)

2016-04-26-Bedep-post-infection-click-fraud-malware.dll (369,664 bytes)

2016-04-26-CryptXXX-de_crypt_readme.bmp (2,326,734 bytes)

2016-04-26-CryptXXX-de_crypt_readme.html (3,315 bytes)

2016-04-26-CryptXXX-de_crypt_readme.txt (1,641 bytes)

2016-04-26-page-from-quilty.ca-with-injected-pseudo-Darkleech-script.txt (35,859 bytes)

2016-04-26-pseudo-Darkleech-Angler-EK-artifacts-from-infected-host.txt (346 bytes)

2016-04-26-pseudo-Darkleech-Angler-EK-flash-exploit.swf (66,900 bytes)

2016-04-26-pseudo-Darkleech-Angler-EK-landing-page.txt (95,716 bytes)

NOTES:

Proofpoint's blog about CryptXXX and how Angler EK and Bedep are being used to spread it is available here.
More information on the pseudo-Darkleech campaign sending this Angler EK/Bedep/CryptXXX combo is available here.
Background on the pseudo-Darkleech campaign can be found here.

TRAFFIC

Shown above: Pcap of the traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

85.93.93.166 port 80 - oralement.ansonslaw.com - Angler EK
104.193.252.241 port 80 - qrwzoxcjatynejejsz.com - Bedep post-infection traffic
217.23.6.40 port 443 - CryptXXX post-infection traffic
5.199.141.203 port 80 - ranetardinghap.com - Click-fraud traffic starts
93.190.141.27 port 80 - cetinhechinhis.com - Click-fraud traffic starts
95.211.205.218 port 80 - tedgeroatref.com - Click-fraud traffic starts
104.193.252.236 port 80 - rerobloketbo.com - Click-fraud traffic starts
162.244.34.11 port 80 - tonthishessici.com - Click-fraud traffic starts
207.182.148.92 port 80 - allofuslikesforums.com - Click-fraud traffic starts

IMAGES

Shown above: Start of injected pseudo-Darkleech script in page from the compromised website.

Shown above: Desktop of the infected host after the Angler EK/Bedep/CryptXXX infection.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcap: 2016-04-26-pseudo-Darkleech-Angler-EK-sends-Bedep-and-CryptXXX.pcap.zip 3.0 MB (3,049,169 bytes)
ZIP archive of the malware and artifacts: 2016-04-26-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip 684.3 kB (684,256 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.