2014-05-01 - ANGLER EK FROM 64.120.207[.]245 - JDG.GOGEXYCOHUNSDS[.]NET

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-05-02-Angler-EK-traffic.pcap.zip

NOTE: This one's a relatively quick post for situational awareness.  I didn't extract or deobfuscate any of the malware from the pcap.

PREVIOUS ANGLER EK:

• 2014-02-26 - Angler EK from 23.239.12[.]68 - northerningredients[.]com
• 2014-02-27 - Angler EK from 31.222.178[.]84 - phisoomythyxiboow[.]ru:8080
• 2014-03-23 - Angler EK from 78.63.247[.]153 - e1xguj.makeuhndall[.]info
• 2014-04-22 - Angler EK from 69.39.239[.]233 - p1315noprat-wezenlijk.tri-citydrywall[.]com
• 2014-04-22 - Angler EK from 23.110.194[.]99 - lampadaryoptimistiselta.particlehero[.]com
• 2014-04-28 - Angler EK from 85.10.220[.]153 - xenexo9fj6.fuminexyveqccs[.]com
• 2014-04-28 - Angler EK from 85.10.220[.]153 - k615o5ij7f.skwosh[.]eu
• 2014-04-29 - Angler EK from 66.96.246[.]151 - ugwpc.bimowamokykpps[.]net
• 2014-05-01 - Angler EK from 184.82.69[.]94 - 51m9o.licitajyjanyswed[.]info
• 2014-05-02 - Angler EK from 64.120.207[.]245 - jdg.gogexycohunsds[.]net

 

CHAIN OF EVENTS

• 05:22:33 UTC - 64.120.207[.]245 - jdg.gogexycohunsds[.]net - GET /7knsf4i9e6
• 05:22:34 UTC - 64.120.207[.]245 - jdg.gogexycohunsds[.]net - GET /Zja80mx6PKdeU6YEYiFeIKY0_C6F5P56Anjm3AvYl9ssa1qL3V7Y4MtjtrSSkq96S5-p0W2OrAE=
• 05:22:34 UTC - 64.120.207[.]245 - jdg.gogexycohunsds[.]net - GET /HdNwNHddNhXqPDVa_CIwAikMerIv1F6nK3Z7JQSIpkMNWcFEvynXrSFG1cBMt9pAgk1nxVX7loQ=
• 05:22:37 UTC - 64.120.207[.]245 - jdg.gogexycohunsds[.]net - GET /NaYUCP6bPt0N71JkysS0NkphV8-ILuKyZkjHskoIyRGKY0i7Dc-hTenqFN63rDkqg-8cLfZYgvU=

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-02 05:22:34 UTC - 64.120.207[.]245:80 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-05-02 05:22:34 UTC - 64.120.207[.]245:80 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1
• 2014-05-02 05:22:34 UTC - 64.120.207[.]245:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-02 05:22:38 UTC - 64.120.207[.]245:80 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

FINAL NOTES

Click here to return to the main page.