2015-05-26 - ANGLER EK SENDS BEDEP, HOST INFECTED WITH CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-05-26-Angler-EK-traffic.pcap.zip
• 2015-05-26-Angler-EK-malware.zip

 

NOTES:

• Couldn't get a copy of CryptoWall 3.0 ransomware that I saw from the traffic after Bedep, but the bitcoin address for ransom payment was: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

 

CHAIN OF EVENTS

ANGLER EK:

• 2015-05-26 15:17:16 UTC - 216.245.213[.]6 port 80 - ruimde.edibleair[.]com - GET /intensity-breton-liminal-nominally/232472044780593132
• 2015-05-26 15:17:19 UTC - 216.245.213[.]6 port 80 - ruimde.edibleair[.]com - GET /es8DbYZqDlhZCA-UvJVYyBc0ih3vmvyejfLOTfEznJ1bCa7I
• 2015-05-26 15:17:56 UTC - 216.245.213[.]6 port 80 - ruimde.edibleair[.]com - GET /WFzomlIySxhj6z039wS_bcxVN89t_ryYajlzzawCmnO22hE7

 

POST-INFECTION TRAFFIC RELATED TO BEDEP:

• 2015-05-26 15:17:56 UTC - port 80 - www.earthtools[.]org - POST /timezone/0/0
• 2015-05-26 15:17:57 UTC - port 80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-26 15:17:58 UTC - 195.22.26[.]254 port 80 - ubtwfamlqxkx2k[.]com - POST /index.php
• 2015-05-26 15:17:59 UTC - 195.22.26[.]248 port 80 - sso.anbtr[.]com - GET /domain/ubtwfamlqxkx2k[.]com
• 2015-05-26 15:18:00 UTC - 195.22.26[.]253 port 80 - xsso.ubtwfamlqxkx2k[.]com - GET /a40fad694189bdb31d8ea1b0bb495a3f
• 2015-05-26 15:18:05 UTC - 195.22.26[.]254 port 80 - ubtwfamlqxkx2k[.]com - POST /register.php
• 2015-05-26 15:18:12 UTC - 195.22.26[.]254 port 80 - ubtwfamlqxkx2k[.]com - POST /include/class_core.php
• 2015-05-26 15:18:13 UTC - 195.22.26[.]231 port 80 - cdizzmvsvdyok9[.]com - POST /include/blog_functions_main.php
• 2015-05-26 15:18:13 UTC - 195.22.26[.]248 port 80 - sso.anbtr[.]com - GET /domain/cdizzmvsvdyok9[.]com
• 2015-05-26 15:18:14 UTC - 195.22.26[.]231 port 80 - xsso.cdizzmvsvdyok9[.]com - GET /75b7438e59f0884285a9ecade2ed736d
• 2015-05-26 15:18:22 UTC - 195.22.26[.]231 port 80 - cdizzmvsvdyok9[.]com - POST /announcement.php
• 2015-05-26 15:18:31 UTC - 195.22.26[.]231 port 80 - cdizzmvsvdyok9[.]com - POST /album.php
• 2015-05-26 15:18:32 UTC - 195.22.26[.]231 port 80 - lvyzfhuejpufnwz5t[.]com - POST /include/functions_forumdisplay.php
• 2015-05-26 15:18:32 UTC - 195.22.26[.]248 port 80 - sso.anbtr[.]com - GET /domain/lvyzfhuejpufnwz5t[.]com
• 2015-05-26 15:18:33 UTC - 195.22.26[.]231 port 80 - xsso.lvyzfhuejpufnwz5t[.]com - GET /e3984fafdc813d99fa7fd2012a150cfd
• 2015-05-26 15:18:40 UTC - 195.22.26[.]231 port 80 - lvyzfhuejpufnwz5t[.]com - POST /postings.php
• 2015-05-26 15:18:50 UTC - 195.22.26[.]231 port 80 - lvyzfhuejpufnwz5t[.]com - POST /include/class_core.php
• 2015-05-26 15:18:51 UTC - 148.251.161[.]140 port 80 - jaadtmtkbojqcbakx[.]com - POST /include/functions_editor.php
• 2015-05-26 15:18:53 UTC - 148.251.161[.]140 port 80 - jaadtmtkbojqcbakx[.]com - POST /sendmessage.php
• 2015-05-26 15:19:16 UTC - 148.251.161[.]140 port 80 - jaadtmtkbojqcbakx[.]com - POST /showpost.php
• 2015-05-26 15:19:28 UTC - 148.251.161[.]140 port 80 - jaadtmtkbojqcbakx[.]com - POST /album.php
• 2015-05-26 15:19:29 UTC - 148.251.161[.]140 port 80 - jaadtmtkbojqcbakx[.]com - POST /include/class_dm_blog_rate.php

 

POST-INFECTION TRAFFIC RELATED TO CRYPTOWALL 3.0 RANSOMWARE:

• 2015-05-26 15:18:56 UTC - port 80 - ip-addr[.]es - GET /
• 2015-05-26 15:18:57 UTC - 81.88.48[.]113 port 80 - alebehr[.]com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?w=gilufxt2m2p
• 2015-05-26 15:18:57 UTC - 146.255.46[.]1 port 80 - bebeamor[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=gilufxt2m2p
• 2015-05-26 15:19:01 UTC - 213.175.200[.]1 port 80 - awynnejoinery[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?d=gilufxt2m2p
• 2015-05-26 15:19:06 UTC - 184.168.47[.]225 port 80 - ammorgan[.]net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?r=gilufxt2m2p
• 2015-05-26 15:19:06 UTC - 213.186.33[.]50 port 80 - jeanrey[.]fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?n=gilufxt2m2p
• 2015-05-26 15:19:14 UTC - 81.88.48[.]113 port 80 - alebehr[.]com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?k=mrce2lhhtd
• 2015-05-26 15:19:14 UTC - 146.255.46[.]1 port 80 - bebeamor[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=mrce2lhhtd
• 2015-05-26 15:19:19 UTC - 213.175.200[.]1 port 80 - awynnejoinery[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?x=mrce2lhhtd
• 2015-05-26 15:19:24 UTC - 184.168.47[.]225 port 80 - ammorgan[.]net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?a=mrce2lhhtd
• 2015-05-26 15:19:25 UTC - 213.186.33[.]50 port 80 - jeanrey[.]fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?y=mrce2lhhtd
• 2015-05-26 15:19:30 UTC - 81.88.48[.]113 port 80 - alebehr[.]com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?m=c4k42pax9y88
• 2015-05-26 15:19:30 UTC - 146.255.46[.]1 port 80 - bebeamor[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?h=c4k42pax9y88
• 2015-05-26 15:19:32 UTC - 213.175.200[.]1 port 80 - awynnejoinery[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?m=c4k42pax9y88
• 2015-05-26 15:19:37 UTC - 184.168.47[.]225 port 80 - ammorgan[.]net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?v=c4k42pax9y88
• 2015-05-26 15:19:39 UTC - 213.186.33[.]50 port 80 - jeanrey[.]fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?p=c4k42pax9y88
• 2015-05-26 15:20:07 UTC - 81.88.48[.]113 port 80 - alebehr[.]com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?n=h9u63z9yg7yl
• 2015-05-26 15:20:07 UTC - 146.255.46[.]1 port 80 - bebeamor[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?r=h9u63z9yg7yl
• 2015-05-26 15:20:09 UTC - 213.175.200[.]1 port 80 - awynnejoinery[.]co[.]uk - POST /wp-content/plugins/revslider/temp/update_extract/revsliderz/img3.php?i=h9u63z9yg7yl
• 2015-05-26 15:20:15 UTC - 184.168.47[.]225 port 80 - ammorgan[.]net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?m=h9u63z9yg7yl
• 2015-05-26 15:20:16 UTC - 213.186.33[.]50 port 80 - jeanrey[.]fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?g=h9u63z9yg7yl
• 2015-05-26 15:20:22 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /1kwN8ko
• 2015-05-26 15:20:26 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/style.css
• 2015-05-26 15:20:29 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/flags/us.png
• 2015-05-26 15:20:29 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/flags/fr.png
• 2015-05-26 15:20:30 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/rb.png
• 2015-05-26 15:20:30 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/flags/es.png
• 2015-05-26 15:20:30 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /picture.php?k=1kwn8ko&171b11da066a408f7526ec7cf078d42c
• 2015-05-26 15:20:30 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/rt.png
• 2015-05-26 15:20:33 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/flags/it.png
• 2015-05-26 15:20:33 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/flags/de.png
• 2015-05-26 15:20:33 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/lt.png
• 2015-05-26 15:20:33 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/lb.png
• 2015-05-26 15:20:36 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /favicon.ico
• 2015-05-26 15:20:39 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - POST /1kwN8ko
• 2015-05-26 15:20:43 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/style.css
• 2015-05-26 15:20:47 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/bitcoin.png
• 2015-05-26 15:20:47 UTC - 95.163.121[.]105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros[.]com - GET /img/button_pay.png

 

CLICK FRAUD TRAFFIC BEGINS:

• 2015-05-26 15:20:55 UTC - 162.244.34[.]140 port 80 - jiujitsukarate[.]com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 95.211.202[.]33 port 80 - jerorefest[.]com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 151.80.254[.]180 port 80 - operlmospo4yt[.]com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 162.244.34[.]39 port 80 - jertadopoeremo[.]com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 88.198.218[.]89 port 80 - kooperinitialsdor[.]com - GET /ads.php?sid=1911

 

MALWARE

MALWARE FOUND ON THE INFECTED HOST:

• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a (encrypted or otherwise obfuscated)
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\twain_32.dll (Bedep)

 

Click here to return to the main page.