2015-05-18 - ANGLER EK SENDS BEDEP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-05-18-Angler-EK-traffic-2-pcaps.zip
• 2015-05-18-Angler-EK-malware.zip

 

NOTES:

• Wasn't able to decrypt the malware payload... The zip file only contains the landing pages and Flash exploits extracted from the pcap files.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 178.63.174.158 port 80 - damniam-metempir.rahmatcosmetics[.]com - Angler EK (first example)
• 178.63.174.157 port 80 - abrufauftrage.whitetigercommunications[.]com - Angler EK (second example)
• 95.211.230.75 port 80 - ljuaitsubak9[.]com - post-infection traffic
• 50.63.202.37 port 80 - pzmavjxomlsplypiq7[.]com - post-infection traffic
• 148.251.161.139 port 80 - ourritjuuayylc[.]com - post-infection traffic
• 178.63.195.249 port 80 - jeep.cheapest-clothes[.]co[.]uk - post-infection traffic (first example)
• 178.63.195.250 port 80 - join.cheapestclothes[.]co[.]uk - post-infection traffic (second example)
• 128.199.96.35 port 80 - cwtzqtgzeuvcfkpodr[.]com - post-infection traffic
• 128.199.96.35 port 80 - pzmavjxomlsplypiq7[.]com - post-infection traffic
• 166.78.144.80 port 80 - pougitxdnkpqitd6q[.]com - post-infection traffic
• 95.211.202.33 port 80 - hershipoladous[.]com - click-fraud traffic begins (first example)
• 88.198.218.89 port 80 - kooperinitialsdor[.]com - click-fraud traffic begins (first example)
• 162.244.34.140 port 80 - nailsartsdesfuture[.]com - click-fraud traffic begins (first example)
• 162.244.34.39 port 80 - koregahot[.]com - click-fraud traffic begins (first example)

 

FIRST EXAMPLE:

• 2015-05-18 00:48:24 UTC - damniam-metempir.rahmatcosmetics[.]com - GET /delineates-disconsolate-humps-mathematically/222547646503185970
• 2015-05-18 00:48:26 UTC - damniam-metempir.rahmatcosmetics[.]com - GET /OA1pECqPrRVqZF1Na5k0b3hDBVUk1GedCQTCXx8Z4j11iEDl
• 2015-05-18 00:48:31 UTC - damniam-metempir.rahmatcosmetics[.]com - GET /zqsajUTtWoRzW7QeAzyQc97x-sBPuLISgFKN2nP9iuZnLpKA
• 2015-05-18 00:48:32 UTC - www.earthtools[.]org - POST /timezone/0/0
• 2015-05-18 00:48:33 UTC - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-18 00:48:34 UTC - ljuaitsubak9[.]com - POST /forum.php
• 2015-05-18 00:48:41 UTC - ljuaitsubak9[.]com - POST /include/class_dm_forum.php
• 2015-05-18 00:48:47 UTC - ljuaitsubak9[.]com - POST /include/class_dm_blog.php
• 2015-05-18 00:48:47 UTC - DNS query for: pougitxdnkpqitd6q[.]com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: nldgwauowbxbi1t[.]com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: kvgtnxrnrzuynm0d[.]com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: qnguehfwbsgy[.]com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: bvxhlumcdmzr2i[.]com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: drmozrqfads4i[.]com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: jdwakqatysqk6[.]com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: dkhfidzqyvrgsoo1[.]com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: gvdrblxqayqas[.]com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: slyonxonqvhr8l[.]com   [Server response: No such name]
• 2015-05-18 00:48:49 UTC - pzmavjxomlsplypiq7[.]com - POST /widget.php
• 2015-05-18 00:49:00 UTC - pzmavjxomlsplypiq7[.]com - POST /postings.php
• 2015-05-18 00:49:00 UTC - pzmavjxomlsplypiq7[.]com - GET /site.aspx?aspxerrorpath=/default.aspx
• 2015-05-18 00:49:09 UTC - pzmavjxomlsplypiq7[.]com - POST /showthread.php
• 2015-05-18 00:49:10 UTC - pzmavjxomlsplypiq7[.]com - GET /site.aspx?aspxerrorpath=/default.aspx
• 2015-05-18 00:49:10 UTC - DNS query for: igzutnruxtnf[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: cifmwpkutbenrngf[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: weflinefodxfple[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: gkhllkaxdzdi9i[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: ksirtlnhlcmpsefqn[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: brfhpqjwrxwlu2[.]com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: virkazwenainsocj[.]com   [Server response: No such name]
• 2015-05-18 00:49:12 UTC - ourritjuuayylc[.]com - POST /profile.php
• 2015-05-18 00:49:21 UTC - ourritjuuayylc[.]com - POST /asset.php
• 2015-05-18 00:49:26 UTC - jeep.cheapest-clothes[.]co[.]uk - POST /news.php HTTP/1.0
• 2015-05-18 00:49:37 UTC - ourritjuuayylc[.]com - POST /include/class_dm_blog_category.php
• 2015-05-18 00:50:21 UTC - ourritjuuayylc[.]com - POST /blog.php
• 2015-05-18 00:50:48 UTC - ourritjuuayylc[.]com - POST /include/database_error_page.html
• 2015-05-18 00:51:05 UTC - ourritjuuayylc[.]com - POST /include/class_dm_event.php
• 2015-05-18 00:51:26 UTC - hershipoladous[.]com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - kooperinitialsdor[.]com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - nailsartsdesfuture[.]com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - koregahot[.]com - GET /ads.php?sid=1923

 

SECOND EXAMPLE:

• 2015-05-18 17:37:09 UTC - abrufauftrage.whitetigercommunications[.]com - GET /personification_rubberstamped_narrations_totalitarian/239529191537335005
• 2015-05-18 17:37:11 UTC - abrufauftrage.whitetigercommunications[.]com - GET /IcluLIR_WERIkHajs3BZN0cjpFxZ1IUxL7RNTMezCeWgsn1T
• 2015-05-18 17:37:12 UTC - abrufauftrage.whitetigercommunications[.]com - GET /7wN3QtlhwuulgR6owMC76W3XUNK7pzI7nNnKtDEA2janK8aC
• 2015-05-18 17:37:24 UTC - www.earthtools[.]org - POST /timezone/0/0
• 2015-05-18 17:37:24 UTC - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-18 17:37:26 UTC - DNS query for: gvdrblxqayqas[.]com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: igzutnruxtnf[.]com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: gkhllkaxdzdi9i[.]com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: virkazwenainsocj[.]com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: hmvqrosylwkmfibj[.]com   [Server response: No such name]
• 2015-05-18 17:37:27 UTC - cwtzqtgzeuvcfkpodr[.]com - POST /forum.php
• 2015-05-18 17:37:34 UTC - cwtzqtgzeuvcfkpodr[.]com - POST /xmlsitemap.php
• 2015-05-18 17:37:44 UTC - cwtzqtgzeuvcfkpodr[.]com - POST /include/functions_databuild.php
• 2015-05-18 17:37:44 UTC - DNS query for: utapairnxofvro20[.]com   [Server response: No such name]
• 2015-05-18 17:37:44 UTC - DNS query for: nldgwauowbxbi1t[.]com   [Server response: No such name]
• 2015-05-18 17:37:44 UTC - DNS query for: bvxhlumcdmzr2i[.]com   [Server response: No such name]
• 2015-05-18 17:37:45 UTC - DNS query for: dkhfidzqyvrgsoo1[.]com   [Server response: No such name]
• 2015-05-18 17:37:45 UTC - pzmavjxomlsplypiq7[.]com - POST /include/functions_legacy.php
• 2015-05-18 17:37:54 UTC - pzmavjxomlsplypiq7[.]com - POST /register.php
• 2015-05-18 17:38:02 UTC - pzmavjxomlsplypiq7[.]com - POST /showpost.php
• 2015-05-18 17:38:03 UTC - DNS query for: weflinefodxfple[.]com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: brfhpqjwrxwlu2[.]com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: wqudmudgtdmhoxo[.]com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: fvfecxmewilwxvp3[.]com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: butwmiaphhfj70[.]com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - pougitxdnkpqitd6q[.]com - POST /showpost.php
• 2015-05-18 17:38:13 UTC - pougitxdnkpqitd6q[.]com - POST /include/blog_functions.php
• 2015-05-18 17:38:42 UTC - pougitxdnkpqitd6q[.]com - POST /include/functions_facebook.php
• 2015-05-18 17:39:09 UTC - pougitxdnkpqitd6q[.]com - POST /groupsubscription.php
• 2015-05-18 17:39:19 UTC - pougitxdnkpqitd6q[.]com - POST /widget.php
• 2015-05-18 17:39:19 UTC - DNS query for: qnguehfwbsgy[.]com   [Server response: No such name]
• 2015-05-18 17:39:19 UTC - DNS query for: jdwakqatysqk6[.]com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: slyonxonqvhr8l[.]com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: cifmwpkutbenrngf[.]com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: ksirtlnhlcmpsefqn[.]com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - ourritjuuayylc[.]com - POST /include/class_database_slave.php
• 2015-05-18 17:39:27 UTC - ourritjuuayylc[.]com - POST /profile.php
• 2015-05-18 17:39:41 UTC - join.cheapestclothes[.]co[.]uk - POST /news.php
• 2015-05-18 17:39:46 UTC - ourritjuuayylc[.]com - POST /content.php

 

Click here to return to the main page.