2015-08-10 - ANGLER EK FROM 144.76.161[.]249 SENDS BEDEP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-08-10-Angler-EK-traffic.pcap.zip
• 2015-08-10-Angler-EK-malware-and-artifacts.zip

 

Shown above: malware left behind on the infected host.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 178.33.200[.]140 port 80 - go.gosouth[.]com[.]ar - Redirect/gate pointing to Angler EK
• 144.76.161[.]249 port 80 - 4beesontithecollecting.lynelafontaine[.]com - Angler EK
• 83.149.127[.]8 port 80 - borysekfqovtvhvl[.]com - Bedep post-infection traffic
• 95.211.189[.]99 port 80 - veg2671wmx88[.]com - Click-fraud traffic begins
• 95.211.189[.]117 port 80 - v6pnsc80ll[.]com - Click-fraud traffic begins
• 95.211.202[.]34 port 80 - ym5r99ex5q8[.]com - Click-fraud traffic begins
• 162.244.34[.]39 port 80 - b9u5r3rjmpp[.]com - Click-fraud traffic begins

 

REDIRECT:

• 2015-08-10 14:55:57 UTC - go.gosouth[.]com[.]ar - GET /js/script.js

 

ANGLER EK:

• 2015-08-10 14:55:59 UTC - 4beesontithecollecting.lynelafontaine[.]com - GET /boards/viewforum.php?f=3yd0&sid=lo681460lf0770113m.9&

• 2015-08-10 14:56:05 UTC - 4beesontithecollecting.lynelafontaine[.]com - GET /distance.mvc?subject=ZXMXN43d&law=4Zldeu&itself=1iKJ42WNy1&
  into=&scene=sQ5hhBlsPB&kind=-eoyRAIydPXEQV

• 2015-08-10 14:56:05 UTC - 4beesontithecollecting.lynelafontaine[.]com - POST /boards/deal.srf?right=S82cu&march=9Ly&try=3RR&anything=Vs3S_&
  these=Guk-iYLd25&learn=RS9riAgOBQM36rjDnZYaq8

• 2015-08-10 14:56:07 UTC - 4beesontithecollecting.lynelafontaine[.]com - GET /distance.mvc?subject=ZXMXN43d&law=4Zldeu&itself=1iKJ42WNy1&
  into=&scene=sQ5hhBlsPB&kind=-eoyRAIydPXEQV

• 2015-08-10 14:56:11 UTC - 4beesontithecollecting.lynelafontaine[.]com - GET /gun.esproj?throughout=&season=Oxg0&any=&lot=0ku&show=&
  world=KBA_zf7&within=yGwgb&each=9Ycfob&fall=QK39EAYw6&discuss=wI_&I=dBI&maintain=3UrM8M46

 

POST-INFECTION TRAFFIC:

• 2015-08-10 14:56:21 UTC - www.microsoft[.]com - GET /
• 2015-08-10 14:56:22 UTC - www.microsoft[.]com - GET /en-au/
• 2015-08-10 14:56:26 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?e8038e30e273dbd0cdf7c5a1edc8e6ac
• 2015-08-10 14:56:34 UTC - borysekfqovtvhvl[.]com - POST /blog.php
• 2015-08-10 14:56:37 UTC - borysekfqovtvhvl[.]com - POST /include/class_dbalter.php
• 2015-08-10 14:57:00 UTC - borysekfqovtvhvl[.]com - POST /include/class_block.php
• 2015-08-10 14:58:20 UTC - borysekfqovtvhvl[.]com - POST /forum.php
• 2015-08-10 14:58:24 UTC - borysekfqovtvhvl[.]com - POST /include/functions_filesystemxml.php

• 2015-08-10 14:59:32 UTC - ym5r99ex5q8[.]com - GET /ads.php?sid=1917
• 2015-08-10 14:59:32 UTC - b9u5r3rjmpp[.]com - GET /ads.php?sid=1917
• 2015-08-10 14:59:32 UTC - v6pnsc80ll[.]com - GET /ads.php?sid=1917
• 2015-08-10 14:59:32 UTC - veg2671wmx88[.]com - GET /ads.php?sid=1917

 

Click here to return to the main page.