2015-06-01 - ANGLER EK FROM 94.242.198[.]222 SENDS BEDEP AND NECURS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-06-01-Angler-EK-traffic.pcap.zip
• 2015-06-01-Angler-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 89.39.144[.]155 port 80 - id.geloukodj[.]com[.]br - Redirect to Angler EK
• 94.242.198[.]222 port 80 - adiotoiminnandacqmine.visionsource-parklandeye[.]com - Angler EK
• 195.22.26[.]252 port 80 - pyprhimzkonw4[.]com - Post-infection traffic
• 195.22.26[.]248 port 80 - sso.anbtr[.]com - Post-infection traffic
• 195.22.26[.]231 port 80 - xsso.pyprhimzkonw4[.]com - Post-infection traffic
• 209.133.201[.]35 port 80 - cdxnzcdxzcjgmeoef1[.]com - Post-infection traffic
• 212.47.214[.]114 port 80 - 212.47.214[.]114 - Post-infection traffic
• 91.200.14[.]56 port 80 - 91.200.14[.]56 - Post-infection traffic

 

REDIRECT:

• 2015-06-01 15:15:28 UTC - id.geloukodj[.]com[.]br - GET /js/view.js

 

ANGLER EK:

• 2015-06-01 15:15:30 UTC - adiotoiminnandacqmine.visionsource-parklandeye[.]com - GET /forger-fatuous-roguish-guideline/659172933259539858
• 2015-06-01 15:15:33 UTC - adiotoiminnandacqmine.visionsource-parklandeye[.]com - GET /gwiFLyVtcw6ZYF4x4KigUs1TDcedTHxYlIWUPXnEMLlRsSe7.cpp
• 2015-06-01 15:15:36 UTC - adiotoiminnandacqmine.visionsource-parklandeye[.]com - GET /bRh_U6LsInmcwWljobpH117iR0iyihSfT-vzOhHIkMaFM1ro.py

 

POST-INFECTION TRAFFIC:

• 2015-06-01 15:15:39 UTC - www.earthtools.org - GET /timezone-1.1/-58.44478/-41.3294
• 2015-06-01 15:15:40 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?0051d1ec6ed6f339cf3eec7e677c95f3
• 2015-06-01 15:15:41 UTC - DNS query for: vavdaouetagxdvxu5l[.]com (response: No such name)
• 2015-06-01 15:15:41 UTC - DNS query for: ucnoqdmssax1[.]com (no content in the response)
• 2015-06-01 15:15:42 UTC - pyprhimzkonw4[.]com - POST /calendar.php
• 2015-06-01 15:15:43 UTC - sso.anbtr[.]com - GET /domain/pyprhimzkonw4[.]com
• 2015-06-01 15:15:45 UTC - xsso.pyprhimzkonw4[.]com - GET /5f1a39f4435c6b11a454881da415821a
• 2015-06-01 15:15:45 UTC - DNS query for: oglntfpvurtpmpaa8a[.]com (response: No such name)
• 2015-06-01 15:15:46 UTC - cdxnzcdxzcjgmeoef1[.]com - POST /include/functions_misc.php
• 2015-06-01 15:15:48 UTC - cdxnzcdxzcjgmeoef1[.]com - POST /css.php
• 2015-06-01 15:15:54 UTC - DNS query for: aiaegkalecu[.]com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: ifkbmlatjdyl[.]com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: beuadpchlg[.]com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: ajzwrnjljj[.]com (response: No such name)
• 2015-06-01 15:15:55 UTC - DNS query for: npkxghmoru.biz (response: No such name)
• 2015-06-01 15:15:57 UTC - local_host port 15511 - 186.22.9[.]31 port 18323 - UDP traffic (no return traffic)
• 2015-06-01 15:16:02 UTC - local_host port 15511 - 188.254.241[.]115 port 20164 - UDP traffic (return traffic noted)
• 2015-06-01 15:16:08 UTC - 190.195.47.32 port 18206 - Attempted TCP connection (no response from server)
• 2015-06-01 15:16:12 UTC - POST /include/blog_functions_category.php
• 2015-06-01 15:16:13 UTC - local_host port 15511 - 24.227.28.51 port 24853 - UDP traffic (no return traffic)
• 2015-06-01 15:16:18 UTC - 190.18.87.208 port 20828 - TCP connection (full connection with some data sent)
• 2015-06-01 15:16:19 UTC - 212.47.214[.]114 - POST /forum/db.php
• 2015-06-01 15:16:21 UTC - 212.47.214[.]114 - POST /forum/db.php
• 2015-06-01 15:16:22 UTC - 212.47.214[.]114 - POST /forum/db.php
• 2015-06-01 15:16:55 UTC - local_host port 15511 - 93.103.215[.]198 port 15695 - UDP traffic (no return traffic)
• 2015-06-01 15:17:00 UTC - local_host port 15511 - 31.211.143[.]114 port 10160 - UDP traffic (no return traffic)
• 2015-06-01 15:17:05 UTC - local_host port 15511 - 79.121.98[.]40 port 6111 - UDP traffic (no return traffic)
• 2015-06-01 15:17:08 UTC - DNS query for: uqqknpieev[.]com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: ugnsbjeintulo[.]com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: ifqabglescmgkt[.]com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: oijnbeaufrfp[.]com (response: No such name)
• 2015-06-01 15:17:10 UTC - local_host port 15511 - 186.126.177[.]150 port 21238 - Attempted TCP connection (no response from server)
• 2015-06-01 15:17:15 UTC - local_host port 15511 - 1190.207.130[.]229 port 25720- Attempted TCP connection (no response from server)
• 2015-06-01 15:17:20 UTC - local_host port 15511 - 178.84.253[.]121 port 10926 - UDP traffic (no return traffic)
• 2015-06-01 15:17:25 UTC - local_host port 15511 - 1194.63.137[.]41 port 28448 - UDP traffic (no return traffic)
• 2015-06-01 15:17:30 UTC - local_host port 15511 - 146.186.89[.]63 port 8304 - UDP traffic (no return traffic)
• 2015-06-01 15:17:35 UTC - local_host port 15511 - 195.34.249[.]92 port 23728 - UDP traffic (no return traffic)
• 2015-06-01 15:17:40 UTC - local_host port 15511 - 1177.143.83[.]122 port 32417 - UDP traffic (no return traffic)
• 2015-06-01 15:17:45 UTC - 190.201.58[.]232 port 13972 - Attempted TCP connection (no response from server)
• 2015-06-01 15:17:50 UTC - 132.248.123[.]242 port 21300 - TCP connection (full connection with some data sent)
• 2015-06-01 15:17:55 UTC - local_host port 15511 - 1201.213.18.53 port 8978 - UDP traffic (no return traffic)
• 2015-06-01 15:17:59 UTC - 91.200.14[.]56 - POST /forum/db.php
• 2015-06-01 15:19:00 UTC - local_host port 15511 - 1200.111.157[.]37 port 25695 - UDP traffic (no return traffic)
• 2015-06-01 15:20:00 UTC - local_host port 15511 - 1161.200.48[.]58 port 28639 - UDP traffic (no return traffic)
• 2015-06-01 15:21:00 UTC - local_host port 15511 - 1190.73.136[.]237 port 14012 - UDP traffic (no return traffic)
• 2015-06-01 15:23:00 UTC - local_host port 15511 - 124.232.56[.]88 port 16934 - UDP traffic (no return traffic)
• 2015-06-01 15:24:00 UTC - local_host port 15511 - 1181.44.144[.]33 port 14637 - UDP traffic (no return traffic)
• 2015-06-01 15:25:00 UTC - local_host port 15511 - 188.151.149[.]156 port 31848 - UDP traffic (no return traffic)
• 2015-06-01 15:26:00 UTC - local_host port 15511 - 1188.173.243[.]171 port 20398 - UDP traffic (no return traffic)
• 2015-06-01 15:27:00 UTC - local_host port 15511 - 1190.198.35[.]33 port 12395 - UDP traffic (no return traffic)

 

MALWARE

MALWARE FOUND ON THE INFECTED HOST:

• C:\Windows\Installer\{210B6B18-0073-9AD2-DD27-B088BCE89303}\syshost.exe
• C:\Windows\System32\Drivers\fd68341857c90b6b.sys

 

REGISTRY KEYS RELATED TO MALWARE ON THE INFECTED HOST:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FD68341857C90B6B\0000 - Service - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FD68341857C90B6B\0000\Control - ActiveService - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FD68341857C90B6B\0000 - Service - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FD68341857C90B6B\0000\Control - ActiveService - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fd68341857c90b6b

 

Click here to return to the main page.