2016-04-28 - PSEUDO-DARKLEECH ANGLER EK FROM 92.222.67.38 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap.zip   1.9 MB (1,860,560 bytes)

• 2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap   (2,040,185 bytes)

• ZIP archive of the malware and artifacts:  2016-04-28-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   644.6 kB (644,631 bytes)

• 2016-04-28-8afc49b02429a   (262,368 bytes)
• 2016-04-28-CryptXXX-de_crypt_readme.bmp   (3,102,294 bytes)
• 2016-04-28-CryptXXX-de_crypt_readme.html   (3,315 bytes)
• 2016-04-28-CryptXXX-de_crypt_readme.txt   (1,638 bytes)
• 2016-04-28-CryptXXX-ransomware.dll   (266,240 bytes)
• 2016-04-28-artifacts.txt   (285 bytes)
• 2016-04-28-click-fraud-malware.dll   (347,296 bytes)
• 2016-04-28-page-from-promobag.pl-with-injected-pseudo-Darkleech-script.txt   (43,052 bytes)
• 2016-04-28-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,918 bytes)
• 2016-04-28-pseudo-Darkleech-Angler-EK-landing-page.txt   (69,729 bytes)

 

NOTES:

• Details on CryptXXX are available here.
• Background on the pseudo-Darkleech campaign can be found here.

 

TRAFFIC

Shown above:  Pcap of traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 92.222.67.38 port 80 - sosteran.colliercountycommission.com - Angler EK
• 82.141.230.141 port 80 - irahapafutsjibo.com - Bedep post-infection traffic
• 104.193.252.241 port 80 - psnehgrgrwpgxmtc.com - Bedep post-infection traffic
• 217.23.6.40 port 443 - CryptXXX post-infection traffic
• 5.199.141.203 port 80 - ranetardinghap.com - post-infection click-fraud domain
• 62.75.207.26 port 80 - kimpelasomasot.com - post-infection click-fraud domain
• 93.190.141.27 port 80 - cetinhechinhis.com - post-infection click-fraud domain
• 95.211.205.218 port 80 - tedgeroatref.com - post-infection click-fraud domain
• 104.193.252.236 port 80 - rerobloketbo.com - post-infection click-fraud domain
• 162.244.34.11 port 80 - tonthishessici.com - post-infection click-fraud domain

 

IMAGES

Shown above:  Injected pseudo-Darkleech script in page from the compromised website.

 

Shown above:  Desktop of the first infected Windows host after Angler EK sent Bedep and CryptXXX.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-CryptXXX.pcap.zip   1.9 MB (1,860,560 bytes)
• ZIP archive of the malware and artifacts:  2016-04-28-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   644.6 kB (644,631 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.