2015-05-14 - ANGLER EK FROM 178.63.174[.]153 - SENDS BEDEP & NECURS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-05-15-Angler-EK-traffic.pcap.zip

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 185.14.30[.]218 port 80 - web.speeding-tricks[.]com - Redirect/gate
• 178.63.174[.]153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter[.]com - Angler EK
• 208.113.226[.]171 port 80 - www.earthtools[.]org - post-infection check by the malware   [not inherently malicious]
• 104.72.249[.]234 port 80 - www.ecb.europa[.]eu - post-infection check by the malware   [not inherently malicious]
• 95.211.230[.]75 port 80 - ljuaitsubak9[.]com - post-infection traffic
• 148.251.161[.]139 port 80 - ourritjuuayylc[.]com - post-infection traffic
• 77.123.137[.]221 port 80 - 77.123.137[.]221 - post-infection traffic
• various domains and IP addresses - other post-infection UDP traffic and DNS queries

 

REDIRECT/GATE:

• 2015-05-15 13:23:39 UTC - 185.14.30[.]218 port 80 - web.speeding-tricks[.]com - GET /js/script.js

 

ANGLER EK:

• 2015-05-15 13:23:39 UTC - 178.63.174[.]153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter[.]com -
  GET /bobcat-retainers-twanging-robot/552569844392477911

• 2015-05-15 13:23:41 UTC - 178.63.174[.]153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter[.]com -
  GET /SUyGed2Q74uIS1WWeQ1MIuhSR10JD72ZAbJWl7d5h2_gV1xH

• 2015-05-15 13:23:43 UTC - 178.63.174[.]153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter[.]com -
  GET /TPTxsGUpzR2DZFuACCWQ9UwYVL54-9G5M3nfBJm5QhDykkpK

 

POST-INFECTION HTTP TRAFFIC:

• 2015-05-15 13:23:48 UTC - port 80 - www.earthtools[.]org - POST /timezone/0/0
• 2015-05-15 13:23:48 UTC - port 80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

• 2015-05-15 13:23:49 UTC - DNS query for: kvgtnxrnrzuynm0d[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: wqudmudgtdmhoxo[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: gvdrblxqayqas[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: butwmiaphhfj70[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: gkhllkaxdzdi9i[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: qnguehfwbsgy[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: hmvqrosylwkmfibj[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: slyonxonqvhr8l[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: utapairnxofvro20[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: ksirtlnhlcmpsefqn[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: bvxhlumcdmzr2i[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: ixxqbtonmbi6u[.]com   [server reply: No such name]
• 2015-05-15 13:23:50 UTC - DNS query for: pzmavjxomlsplypiq7[.]com   [server reply: No such name]

• 2015-05-15 13:23:50 UTC - 95.211.230[.]75 port 80 - ljuaitsubak9[.]com - POST /album.php
• 2015-05-15 13:23:56 UTC - 95.211.230[.]75 port 80 - ljuaitsubak9[.]com - POST /attachment.php
• 2015-05-15 13:24:02 UTC - 95.211.230[.]75 port 80 - ljuaitsubak9[.]com - POST /calendar.php

• 2015-05-15 13:24:02 UTC - DNS query for: brfhpqjwrxwlu2[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: drmozrqfads4i[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: fvfecxmewilwxvp3[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: igzutnruxtnf[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: pougitxdnkpqitd6q[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: virkazwenainsocj[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: jdwakqatysqk6[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: cwtzqtgzeuvcfkpodr[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: cifmwpkutbenrngf[.]com   [server reply: No such name]
• 2015-05-15 13:24:02 UTC - DNS query for: nldgwauowbxbi1t[.]com   [server reply: No such name]

• 2015-05-15 13:24:03 UTC - 148.251.161[.]139 port 80 - ourritjuuayylc[.]com - POST /newthread.php
• 2015-05-15 13:24:17 UTC - 148.251.161[.]139 port 80 - ourritjuuayylc[.]com - POST /include/class_ajax_output.php

• 2015-05-15 13:24:19 UTC - DNS query for: aydpyqwapbf[.]com   [server reply: No such name]
• 2015-05-15 13:24:19 UTC - DNS query for: lluynjlttkn[.]com   [server reply: No such name]
• 2015-05-15 13:24:19 UTC - DNS query for: ygohrvahvz[.]com   [server reply: No such name]
• 2015-05-15 13:24:19 UTC - DNS query for: juykjtapjiqv[.]com   [server reply: No such name]
• 2015-05-15 13:24:22 UTC - DNS query for: npkxghmoru[.]biz   [server reply: No such name]

• 2015-05-15 13:24:28 UTC - 148.251.161.139 port 80 - ourritjuuayylc[.]com - POST /include/functions_banning.php

• 2015-05-15 13:24:29 UTC - 194.33.104[.]30 port 10088 - UDP traffic
• 2015-05-15 13:24:34 UTC - 94.78.188[.]232 port 6191 - UDP traffic
• 2015-05-15 13:24:34 UTC - 94.78.188[.]232 port 6191 - UDP traffic
• 2015-05-15 13:24:39 UTC - 190.53.239[.]144 port 12903 - UDP traffic
• 2015-05-15 13:24:54 UTC - 200.86.100[.]44 port 27121 - UDP traffic
• 2015-05-15 13:24:59 UTC - 109.105.8[.]176 port 4524 - UDP traffic

• 2015-05-15 13:25:06 UTC - 77.123.137[.]221 port 80 - 77.123.137[.]221 - POST /forum/db.php
• 2015-05-15 13:25:07 UTC - 77.123.137[.]221 port 80 - 77.123.137[.]221 - POST /forum/db.php

• 2015-05-15 13:25:38 UTC - 201.248.116[.]29 port 12479 - UDP traffic
• 2015-05-15 13:25:43 UTC - 190.200.224[.]88 port 21829 - UDP traffic

• 2015-05-15 13:25:47 UTC - DNS query for: jectfjpcluott[.]com   [server reply: No such name]
• 2015-05-15 13:25:47 UTC - DNS query for: etsopayakyzptdu[.]com   [server reply: No such name]
• 2015-05-15 13:25:47 UTC - DNS query for: hkaugimskbyn[.]com   [server reply: No such name]
• 2015-05-15 13:25:47 UTC - DNS query for: qysmtmsumgyrec[.]com   [server reply: No such name]

• 2015-05-15 13:25:53 UTC - 190.188.58[.]82 port 4290 - UDP traffic
• 2015-05-15 13:25:58 UTC - 190.17.205[.]123 port 13495 - UDP traffic
• 2015-05-15 13:26:08 UTC - 89.215.49[.]91 port 4678 - UDP traffic
• 2015-05-15 13:26:13 UTC - 176.100.211[.]173 port 13065 - UDP traffic

• 2015-05-15 13:26:18 UTC - 77.123.137[.]221 port 80 - 77.123.137[.]221 - POST /forum/db.php

• 2015-05-15 13:27:23 UTC - 37.156.119[.]198 port 23129 - UDP traffic
• 2015-05-15 13:28:23 UTC - 24.138.249[.]99 port 15909 - UDP traffic
• 2015-05-15 13:31:23 UTC - 148.226.51[.]196 port 19911 - UDP traffic
• 2015-05-15 13:32:23 UTC - 98.30.20[.]55 port 12983 - UDP traffic
• 2015-05-15 13:35:23 UTC - 165.132.86[.]40 port 9937 - UDP traffic
• 2015-05-15 13:36:23 UTC - 212.5.34[.]216 port 11725 - UDP traffic
• 2015-05-15 13:38:23 UTC - 78.128.48[.]253 port 21242 - UDP traffic
• 2015-05-15 13:42:23 UTC - 132.147.19[.]87 port 4834 - UDP traffic
• 2015-05-15 13:43:23 UTC - 190.201.29[.]114 port 8166 - UDP traffic

• More UDP traffic & more 77.123.137[.]221 - POST /forum/db.php ...

 

Click here to return to the main page.