Malware-Traffic-Analysis.net - 2015-08-24 - Rig EK from 94.142.140[.]222

2015-08-24 - RIG EK FROM 94.142.140[.]222 - LOAD.LEDREQUIRED[.]COM

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

ASSOCIATED DOMAINS:

funny-saying-tshirts[.]com - Compromised website
192.185.158[.]63 port 80 - baydrivingschool[.]com - Gate to EK
213.239.194[.]252 port 80 - danielmaciocha.vot[.]pl - Gate to EK
94.142.140[.]222 port 80 - load.ledrequired[.]com - Rig EK
23.250.0[.]11 port 80 - searchdb24[.]com - Click fraud
199.189.84[.]174 port 80 - superior-movies[.]com - Click fraud
136.243.34[.]28 port 8080 - 136.243.34[.]28 - Post-infection check for IP address

COMPROMISED WEBSITE AND GATE TRAFFIC:

2015-08-24 12:12:30 UTC - funny-saying-tshirts[.]com - GET /
2015-08-24 12:12:31 UTC - baydrivingschool[.]com - GET /trade/images/f2qhzpdt.php?id=8155097 [repeats with different numbers at the end]
2015-08-24 12:12:31 UTC - danielmaciocha.vot[.]pl - GET /20120811/plener/gxvfryhd.php?id=8155240 [repeats with different numbers at the end]

RIG EK:

2015-08-24 12:12:32 UTC - load.ledrequired[.]com - GET /?xniKfreYJBjLDIc=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVEeJv21WjmbEWI5gglkCBu2lYzrxPUw5C514anvzPBKqE

2015-08-24 12:12:34 UTC - load.ledrequired[.]com - GET /index.php?xniKfreYJBjLDIc=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVEeJv21WjmbEWI5gglkCBu2lYzrxPUw5C514anvzPBKqK
p0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PV9n54mmA

2015-08-24 12:12:35 UTC - load.ledrequired[.]com - GET /index.php?xniKfreYJBjLDIc=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVEeJv21WjmbEWI5gglkCBu2lYzrxPUw5C514anvzPBKqK
p0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PR3nZImmA

2015-08-24 12:12:37 UTC - load.ledrequired[.]com - GET /index.php?xniKfreYJBjLDIc=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVEeJv21WjmbEWI5gglkCBu2lYzrxPUw5C514anvzPBKqK
p0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_P91nZMp3lM&dop=075

2015-08-24 12:12:42 UTC - load.ledrequired[.]com - GET /index.php?xniKfreYJBjLDIc=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVEeJv21WjmbEWI5gglkCBu2lYzrxPUw5C514anvzPBKqK
p0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PJzmpImmA

POST-INFECTION - HTTP TRAFFIC:

2015-08-24 12:18:32 UTC - www.google[.]com - GET /
2015-08-24 12:18:34 UTC - www.google[.]com - GET /
2015-08-24 12:18:35 UTC - www.google[.]com - GET /
2015-08-24 12:24:01 UTC - searchdb24[.]com - GET /clk2?d=Pm7s6EzNCqIIMJKnFfi4T55b9ZfU5kCtArZxfVSqXoHNQF5XUzVBcvhKTQ
2015-08-24 12:24:27 UTC - searchdb24[.]com - GET /r?q=club&subid=z4766&link=AVkjjEpbEeWf6AzEegUOMA
2015-08-24 12:24:31 UTC - searchdb24[.]com - GET /search?q=club&subid=z4766
2015-08-24 12:24:34 UTC - searchdb24[.]com - GET /click?q=club&subid=z4766&link=AVkjjEpbEeWf6AzEegUOMA
2015-08-24 12:24:50 UTC - superior-movies[.]com - GET /fracking.html?aid=70561&subid=4766 [and related HTTP GET requests]
2015-08-24 12:24:55 UTC - 136.243.34[.]28 - GET /in_addr.txt [repeats]

POST-INFECTION - ATTEMPTED TCP CONNECTIONS AND ENCRYPTED TRAFFIC:

Click here to return to the main page.