# 2016-05-09 - PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX **malware-traffic-analysis.net/2016/05/09/index.html** ASSOCIATED FILES: ZIP archive of the pcaps: [2016-05-09-pseudo-Darkleech-Angler-EK-pcaps.zip 4.4 MB](http://malware-traffic-analysis.net/2016/05/09/2016-05-09-pseudo-Darkleech-Angler-EK-pcaps.zip) (4,390,349 bytes) 2016-05-09-pseudo-Darkleech-Angler-EK-on-a-VM.pcap (780,111 bytes) 2016-05-09-pseudo-Darkleech-Angler-EK-on-a-normal-host-sends-BedepCryptXXX.pcap (4,114,289 bytes) ZIP archive of the malware and artifacts: 2016-05-09-pseudo-Darkleech-Angler-EKmalware-and-artifacts.zip 660.8 kB (660,816 bytes) 2016-05-09-CryptXXX-decrypt-instructions.bmp (2,023,254 bytes) 2016-05-09-CryptXXX-decrypt-instructions.html (14,193 bytes) 2016-05-09-CryptXXX-decrypt-instructions.txt (1,755 bytes) 2016-05-09-CryptXXX-ransomware.dll (266,240 bytes) 2016-05-09-click-fraud-malware.dll (910,496 bytes) 2016-05-09-page-from-justmyvegas.com-with-pseudo-Darkleech-script.txt (16,848 bytes) 2016-05-09-pseudo-Darkleech-Angler-EK-flash-exploit.swf (66,870 bytes) 2016-05-09-pseudo-Darkleech-Angler-EK-landing-page.txt (169,412 bytes) NOTES: On Friday 2016-04-29, I saw svchost.exe (actually: rundll32.exe) in the same folder as the CryptXXX ransomware. It was used to run the CryptXXX .dll file. By Monday 2016-05-02, things were back to normal, with just the CryptXXX .dll file by itself in the folder. A week later (Monday 2016-05-09), I see svchost.exe again, dropped in the same folder as the CryptXXX .dll file. Today's CryptXXX behavior is slightly different than before, and the decryption instructions are formatted a little differently. Today's Click-fraud malware: C:\ProgramData\{9A88E103-A20A-4EA5-8636C73B709A5BF8}\d3d10.dll Today's CryptXXX ransomware: C:\Users\[username]\AppData\Local\Temp\ {98D13E48-E0E4-429B-9E7B-633FD7689461}\api-ms-win-system-framebuf-l1-1-0.dll ----- [Background on the pseudo-Darkleech campaign is available here.](http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/) [Proofpoint's blog on Angler EK spreading CryptXXX can be found here.](https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler) An ISC diary I wrote about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX [infections is located here.](https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Bedep+and+CryptXXX/20981/) _Shown above: Chain of events for today's infection._ ## TRAFFIC ----- _Shown above: Pcap of the traffic on a normal host filtered in Wireshark. http.request or_ **_(tcp.port eq 443 and tcp.flags eq 0x0002)_** _Shown above: Pcap of the traffic on a VM filtered in Wireshark. It's good up through the_ _first Bedep post-infection traffic on 82.141.230.141._ _After that, Bedep acts differently. You'll see Bedep contacting 95.211.205.228 after Bedep_ _detects it's running on a VM, and it will download different malware._ _As usual, no CryptXXX when doing the Angler EK/Bedep infection with a VM, and any click-_ _fraud traffic is a ruse._ _[@Kafeine discusses this recent change in Bedep behavior here.](https://twitter.com/kafeine)_ ASSOCIATED DOMAINS: 185.118.66.154 port 80 - tilewrigbaieru.gt-racer.co.uk - Angler EK TRAFFIC CAUSED BY BEDEP: 82.141.230.141 port 80 - qfsfajslsdexerid.com - POST /blog.php 104.193.252.241 port 80 - xqvyvibixozap.com - POST /blog_ajax.php ----- 104.193.252.241 port 80 - xqvyvibixozap.com - POST /include/class_bbcode_blog.php 104.193.252.241 port 80 - xqvyvibixozap.com - POST /album.php 104.193.252.241 port 80 - xqvyvibixozap.com - POST /forumdisplay.php 104.193.252.241 port 80 - xqvyvibixozap.com - POST /forumdisplay.php TRAFFIC CAUSED BY CRYPTXXX: 217.23.13.153 port 443 - TCP traffic, custom encoding 69.64.33.48 port 443 - TCP traffic, custom encoding TRAFFIC CAUSED BY CLICK-FRAUD MALWARE: 5.199.141.203 port 80 - ranetardinghap.com - GET /adsc.php?sid=1957 93.190.141.27 port 80 - cetinhechinhis.com - GET /adsc.php?sid=1957 95.211.205.218 port 80 - tedgeroatref.com - GET /adsc.php?sid=1957 104.193.252.236 port 80 - rerobloketbo.com - GET /adsc.php?sid=1957 162.244.34.11 port 80 - tonthishessici.com - GET /adsc.php?sid=1957 188.138.105.185 port 80 - kimpelasomasot.com - GET /adsc.php?sid=1957 ## IMAGES ----- _Shown above: Start of pseudo-Darkleech script returned from compromised website._ _Shown above: Desktop of the Windows host after today's Angler EK/Bedep/CryptXXX_ _infection._ ----- ## FINAL NOTES Once again, here are the associated files: ZIP archive of the pcaps: [2016-05-09-pseudo-Darkleech-Angler-EK-pcaps.zip 4.4 MB](http://malware-traffic-analysis.net/2016/05/09/2016-05-09-pseudo-Darkleech-Angler-EK-pcaps.zip) (4,390,349 bytes) ZIP archive of the malware and artifacts: 2016-05-09-pseudo-Darkleech-Angler-EKmalware-and-artifacts.zip 660.8 kB (660,816 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----