Angler Exploit Kit from 185.117.73.171 sends Bedep

NOTES:
The norm for Angler Exploit Kit from the “pseudo-Darkleech” campaign is to send BEDEP and CRYPTXXX. In a recent post by Malware-Traffic-Analysis he writes about how Bedep acts differently when it detects a VM (Virtual Machine). I do not know if this was the case for this infection but I feel it should be noted.

ASSOCIATED DOMAINS:

  • 85.93.0.68 – nzersef.tk – EiTest GATE
  • 185.117.73.171 – stnd0z.nqj7hnp.top – Angler LANDING PAGE
  • 198.105.254.228 – mbkdkxmbkjabafqvut.com – POST /index.php – Bedep POST INFECTION TRAFFIC
  • 217.172.190.170 – POST /calendar.php – Bedep POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST Gate and Angler Exploit Kit Landing Page

 

Shown above: Bedep post infection traffic

 

Shown above: Packet 1992 shows Angler Flash Exploit and Packet 3176 shows payload delivered masked as an “application/x-shockwave-flash” file

 

Shown above: MsConfig shows post infection payload “system.pif” start-up directory

 

MALICIOUS PAYLOAD SENT BY ANGLER:

2016-05-10-Angler.swf
Virus Total Link
2016-05-10-system.pif
Virus Total Link