2015-04-25 - ANGLER EK FOLLOWED BY MAGNITUDE EK DURING POST-INFECTION TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-04-25-Angler-and-Magnitude-EK-traffic.pcap.zip
• 2015-04-25-Angler-and-Magnitude-EK-malware.zip

 

NOTES:

• In this example, Angler EK delivers a payload, and the post-infection click-fraud traffic triggers Magnitude EK.
• The Magnitude EK sent a Flash exploit and a browser exploit, but it didn't send any malware payload.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 69.162.78[.]252 port 80 - sbuccianlaajentamista.brendagalilee[.]com - Angler EK
• 89.163.229[.]85 port 80 - freeplay4game[.]biz - compromised site that led to Magnitude EK
• 31.3.242[.]104 port 80 - [various prefixes].drovemeetings[.]in - Magnitude EK
• various IP addresses - various domain names - Post-infection traffic (see below)

 

ANGLER EK:

• 14:22:11 UTC - sbuccianlaajentamista.brendagalilee[.]com - GET /perchance_ophthalmics_smoky_viewpoint/252128575650311607
• 14:22:15 UTC - sbuccianlaajentamista.brendagalilee[.]com - GET /7db5I3Qf1Q4lHGaKUlbAK8DfM--gBTKQG_fzukADLCALsH-5
• 14:22:15 UTC - sbuccianlaajentamista.brendagalilee[.]com - GET /FtdYbQZH6eO94WWlHQapG2pwWtkpuG0zWH3rPe2mR3RzkMiE

 

POST-INFECTION TRAFFIC FROM ANGLER EK MALWARE PAYLOAD:

• 14:22:25 UTC - www.earthtools[.]org - POST /timezone/0/0
• 14:22:26 UTC - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 14:22:27 UTC - 148.251.161[.]137 port 80 - hzetleajsvhnh37[.]com - POST /blog.php
• 14:22:30 UTC - 148.251.161[.]137 port 80 - hzetleajsvhnh37[.]com - POST /include/class_bitfield_builder.php
• 14:22:53 UTC - 148.251.161[.]137 port 80 - hzetleajsvhnh37[.]com - POST /sendmessage.php
• 14:24:18 UTC - 148.251.161[.]137 port 80 - hzetleajsvhnh37[.]com - POST /blog.php
• 14:24:20 UTC - 148.251.161[.]137 port 80 - hzetleajsvhnh37[.]com - POST /blog_post.php

 

CLICK-FRAUD TRAFFIC STARTS:

• 14:25:12 UTC - 95.211.202[.]33 port 80 - hershipoladous[.]com - GET /ads.php?sid=1923
• 14:25:12 UTC - 88.198.218[.]89 port 80 - kooperinitialsdor[.]com - GET /ads.php?sid=1923
• 14:25:13 UTC - 78.46.107[.]218 port 80 - nailsartsdesfuture[.]com - GET /ads.php?sid=1923
• 14:25:28 UTC - 88.198.218[.]89 port 80 - kooperinitialsdor[.]com - GET /r.php?key=6739449f77268fceac75ca93f635528f
• 14:25:29 UTC - 184.164.143[.]90 port 80 - 184.164.143[.]90 - GET /click.php?c=96306716[long string of characters]
• 14:25:29 UTC - 95.211.202[.]33 port 80 - hershipoladous[.]com - GET /r.php?key=32b97e24ce190d51082153f2edfcf430
• 14:25:30 UTC - 199.189.84[.]174 port 80 - superior-movies[.]com - GET /fracking.html?aid=70412&subid=1923

 

COMPROMISED URL THAT LED TO MAGNITUDE EK:

• 14:25:34 UTC - 89.163.229[.]85 port 80 - freeplay4game[.]biz - GET /   [Repeated several times]

 

MAGNITUDE EK:

• 14:25:35 UTC - n3e.4f5a4w.e89c376.f5c.19cd1y.nbc.7c2b5.7ed.v2da8e4kt.drovemeetings[.]in - GET /?3c4e595a4a5553505d485d52485d4855125f5351
• 14:25:35 UTC - 81u.221257.552x.d4.yd9o.u55bdf09.43h.f297ab8.8.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:35 UTC - bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:37 UTC - g7c.99f10m.abf4a1.4cd4150q.b25f6.maa8c5n.6c.v2da8e4kt.drovemeetings[.]in - GET /?23514645554a4c4f4257424d5742574a0d404c4e
• 14:25:38 UTC - 81.2212.57552dn.4d95n.l5bl.wdf0943.f297ab8.8l.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:38 UTC - mbfb.x3c21.a8b4f.sb876co.n5754879.6ef5g.bdc7.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:48 UTC - k3ek.z4f5a4e8w.y9c376fk.5c19cd.1bc7c2k.gb57ed.v2da8e4kt.drovemeetings[.]in - GET /?15677073637c7a797461747b6174617c3b767a78
• 14:25:49 UTC - 81p.k22125p.755l.2d4d955.ybdf09m.43f297am.pb8y.8.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:49 UTC - bfb3u.gc21.ra8b4.rfb876cg.y5754.h8796.ef5bdc7.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:54 UTC - 3e4f5i.a4e89c3.76f5ch.p19cd1bs.c7c.w2b5.7ed.v2da8e4kt.drovemeetings[.]in - GET /?2c5e494a5a4543404d584d42584d5845024f4341
• 14:25:54 UTC - 7c99f1k.0abf4u.pa14cd4.150b25v.kf6p.aa8c5k.6cr.v2da8e4kt.drovemeetings[.]in - GET /?3a485f5c4c5355565b4e5b544e5b4e5314595557
• 14:25:55 UTC - h812.s21257.552.d4d955b.pdf094k.i3f297aj.zb88.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:55 UTC - s812212s.575x.z52d4d95.y5b.df.0943.f2u.y97ab88m.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:55 UTC - sbfb3c.y21w.za8b4fb8v.76c5.7548l.m79.l6ex.sf5bv.dc7m.v2da8e4kt.drovemeetings[.]in - GET /
• 14:25:56 UTC - gbfb3c2.1a8t.b4fb876.c575487n.p96ef5bq.dc7.v2da8e4kt.drovemeetings[.]in - GET /

 

REGISTRY CHANGES NOTED ON THE INFECTED HOST

 

Click here to return to the main page.