Malware-Traffic-Analysis.net - 2016-04-28 - pseudo-Darkleech Angler EK from 92.222.67[.]38 sends Bedep and CryptXXX ransomware

2016-04-28 - PSEUDO-DARKLEECH ANGLER EK FROM 92.222.67[.]38 SENDS BEDEP AND CRYPTXXX RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-and-CryptXXX-ransomware.pcap.zip 1.9 MB (1,860,590 bytes)

2016-04-28-pseudo-Darkleech-Angler-EK-sends-Bedep-and-CryptXXX-ransomware.pcap (2,040,185 bytes)

2016-04-28-pseudo-Darkleech-Angler-EK-and-Bedep-and-CryptXXX-ransomware-files.zip 646.4 kB (646,409 bytes)

2016-04-28-CryptXXX-ransomware-de_crypt_readme.bmp (3,102,294 bytes)

2016-04-28-CryptXXX-ransomware-de_crypt_readme.html (3,315 bytes)

2016-04-28-CryptXXX-ransomware-de_crypt_readme.txt (1,638 bytes)

2016-04-28-CryptXXX-ransomware.dll (266,240 bytes)

2016-04-28-list-of-artifacts.txt (296 bytes)

2016-04-28-click-fraud-malware.dll (347,296 bytes)

2016-04-28-page-from-promobag_pl-with-injected-pseudo-Darkleech-script.txt (43,052 bytes)

2016-04-28-pseudo-Darkleech-Angler-EK-flash-exploit.swf (66,918 bytes)

2016-04-28-pseudo-Darkleech-Angler-EK-landing-page.txt (69,729 bytes)

NOTES:

Details on CryptXXX ransomware are available here.
Background on the pseudo-Darkleech campaign can be found here.

TRAFFIC

Shown above: Traffic from the infection filtered in Wireshark.

ASSOCIATED DOMAINS:

92.222.67[.]38 port 80 - sosteran.colliercountycommission[.]com - Angler EK
82.141.230[.]141 port 80 - irahapafutsjibo[.]com - Bedep post-infection traffic
104.193.252[.]241 port 80 - psnehgrgrwpgxmtc[.]com - Bedep post-infection traffic
217.23.6[.]40 port 443 - CryptXXX ransomware post-infection traffic
5.199.141[.]203 port 80 - ranetardinghap[.]com - post-infection click-fraud domain
62.75.207[.]26 port 80 - kimpelasomasot[.]com - post-infection click-fraud domain
93.190.141[.]27 port 80 - cetinhechinhis[.]com - post-infection click-fraud domain
95.211.205[.]218 port 80 - tedgeroatref[.]com - post-infection click-fraud domain
104.193.252[.]236 port 80 - rerobloketbo[.]com - post-infection click-fraud domain
162.244.34[.]11 port 80 - tonthishessici[.]com - post-infection click-fraud domain

IMAGES

Shown above: Injected pseudo-Darkleech script in page from the compromised website.

Shown above: Desktop of the first infected Windows host after Angler EK sent Bedep and CryptXXX ransomware.

Click here to return to the main page.