2015-04-01 - ANGLER EK FROM 209.126.113[.]76

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-04-01-Angler-EK-traffic.pcap.zip
• 2015-04-01-Angler-EK-malware.zip

 

NOTES

SOME OF THE DIRECTORIES AND FILES CREATED FROM THE INFECTION:

• C:\ProgramData\Windows Genuine Advantage\{F300DD14-DC01-4656-8515-B5C2952A621E}
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\d3d10core.dll
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\qmuqquma.tmp (0 bytes)

 

SPOME OF THE REGISTRY KEYS CREATED OR UPDATED:

• HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

 

ASSOCIATED DOMAINS:

• 209.126.113[.]76 port 80 - inspirablebacktenter.modernlifestyle[.]com - Angler EK

 

ANGLER EK:

• 2015-04-01 11:51:28 UTC - inspirablebacktenter.modernlifestyle[.]com - GET /pions_fingertips_rebuff/8057907058341
• 2015-04-01 11:51:30 UTC - inspirablebacktenter.modernlifestyle[.]com - GET /3R6sqI6COwSVqj-FeU2X7WK5qWYlpQskmTr-ivR7ZSZuIbap
• 2015-04-01 11:51:38 UTC - inspirablebacktenter.modernlifestyle[.]com - HEAD /9Oj96BjEJ7Rpe-CuvXMl_DVaDQFeQV53vYrJekoio1vi9dIc
• 2015-04-01 11:51:39 UTC - inspirablebacktenter.modernlifestyle[.]com - GET /9Oj96BjEJ7Rpe-CuvXMl_DVaDQFeQV53vYrJekoio1vi9dIc

 

POST-INFECTION TRAFFIC:

• 2015-04-01 11:51:34 UTC - port 80 - www.earthtools[.]org - POST /timezone/0/0
• 2015-04-01 11:51:35 UTC - port 80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-04-01 11:51:37 UTC - 85.25.104[.]159 port 80 - gnghofvqgfescuijcv[.]com - POST /   [repeats]
• 2015-04-01 11:51:48 UTC - 188.138.25[.]40 port 80 - grow.woodzydesign[.]co[.]uk - POST /news.php
• 2015-04-01 11:51:59 UTC - 85.25.104[.]159 port 80 - gnghofvqgfescuijcv[.]com - POST /

 

CLICK-FRAUD (FAKE SEARCH) TRAFFIC BEGINS:

• 2015-04-01 11:54:41 UTC - 46.105.248[.]104 port 80 - protectobnoxiousefficacious[.]com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 162.244.34[.]133 port 80 - delbopoera[.]com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 85.25.107[.]67 port 80 - warheroescraft[.]com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 78.46.107[.]218 port 80 - jeloyramkis[.]com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 162.244.34[.]133 port 80 - delbopoera[.]com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 78.46.107[.]218 port 80 - jeloyramkis[.]com - GET /ads.php?sid=1923

 

Click here to return to the main page.