Malware-Traffic-Analysis.net - 2016-05-12 - pseudo-Darkleech Angler EK from 69.162.126.171 sends CryptXXX

2016-05-12 - PSEUDO-DARKLEECH ANGLER EK FROM 69.162.126.171 SENDS CRYPTXXX

ASSOCIATED FILES:

ZIP archive of the pcap: 2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX.pcap.zip 993.1 kB (993,127 bytes)

2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX.pcap (1,080,228 bytes)

ZIP archie of the malware and artifacts: 2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX-malware-and-artifacts.zip 332.7 kB (332,655 bytes)

2016-05-12-CryptXXX-decrypt-instructions.bmp (368,6454 bytes)

2016-05-12-CryptXXX-decrypt-instructions.html (14,190 bytes)

2016-05-12-CryptXXX-decrypt-instructions.txt (1,755 bytes)

2016-05-12-page-from-itsocialtech.com-with-injected-pseudo-Darkleech-script.txt (92,707 bytes)

2016-05-12-pseudo-Darkleech-Angler-EK-CryptXXX-ransomware.dll (247,296 bytes)

2016-05-12-pseudo-Darkleech-Angler-EK-flash-exploit.swf (66,811 bytes)

2016-05-12-pseudo-Darkleech-Angler-EK-landing-page.txt (95,516 bytes)

NOTES:

Today's CryptXXX ransomware DLL: C:\Users\[username]\AppData\Local\Temp\D2B9.tmp.dll [VT link]
Today's rundll32.exe used to run the CryptXXX DLL: C:\Users\[username]\AppData\Local\Temp\schost.exe [VT link]

Background on the pseudo-Darkleech campaign is aailable here.
Proofpoint's blog on Angler EK spreading CryptXXX can be found here.
An ISC diary I wrote about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections is located here.

Shown aboe: Chain of eents for today's infection.

TRAFFIC

Shown aboe: Pcap of the traffic on a normal host filtered in Wireshark. http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)

ASSOCIATED DOMAINS:

69.162.126.171 port 80 - prookasieskansanlaulun.jamesaweddingphotography.co.uk - Angler EK
144.76.82.19 port 443 - CryptXXX post-infection traffic (custom encoded)

IMAGES

Shown aboe: Start of injected pseudo-Darkleech script from the compromised website.

Shown aboe: Somewhere in the middle of injected pseudo-Darkleech script from the compromised website.

Shown aboe: End of injected pseudo-Darkleech script from the compromised website.

Shown aboe: Lock screen from the Windows host after today's Angler EK/CryptXXX infection.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcap: 2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX.pcap.zip 993.1 kB (993,127 bytes)
ZIP archie of the malware and artifacts: 2016-05-12-pseudo-Darkleech-Angler-EK-sends-CryptXXX-malware-and-artifacts.zip 332.7 kB (332,655 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.