2014-05-01 - ANGLER EK FROM 64.120.207.245 - JDG.GOGEXYCOHUNSDS.NET

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-05-02-Angler-EK-traffic.pcap.zip

NOTE: This one's a relatively quick post for situational awareness.  I didn't extract or deobfuscate any of the malware from the PCAP.

PREVIOUS ANGLER EK:

• 2014-02-26 - Angler EK from 23.239.12.68 - northerningredients.com
• 2014-02-27 - Angler EK from 31.222.178.84 - phisoomythyxiboow.ru:8080
• 2014-03-23 - Angler EK from 78.63.247.153 - e1xguj.makeuhndall.info
• 2014-04-22 - Angler EK from 69.39.239.233 - p1315noprat-wezenlijk.tri-citydrywall.com
• 2014-04-22 - Angler EK from 23.110.194.99 - lampadaryoptimistiselta.particlehero.com
• 2014-04-28 - Angler EK from 85.10.220.153 - xenexo9fj6.fuminexyveqccs.com
• 2014-04-28 - Angler EK from 85.10.220.153 - k615o5ij7f.skwosh.eu
• 2014-04-29 - Angler EK from 66.96.246.151 - ugwpc.bimowamokykpps.net
• 2014-05-01 - Angler EK from 184.82.69.94 - 51m9o.licitajyjanyswed.info
• 2014-05-02 - Angler EK from 64.120.207.245 - jdg.gogexycohunsds.net

 

CHAIN OF EVENTS

• 05:22:33 UTC - 64.120.207.245 - jdg.gogexycohunsds.net - GET /7knsf4i9e6
• 05:22:34 UTC - 64.120.207.245 - jdg.gogexycohunsds.net - GET /Zja80mx6PKdeU6YEYiFeIKY0_C6F5P56Anjm3AvYl9ssa1qL3V7Y4MtjtrSSkq96S5-p0W2OrAE=
• 05:22:34 UTC - 64.120.207.245 - jdg.gogexycohunsds.net - GET /HdNwNHddNhXqPDVa_CIwAikMerIv1F6nK3Z7JQSIpkMNWcFEvynXrSFG1cBMt9pAgk1nxVX7loQ=
• 05:22:37 UTC - 64.120.207.245 - jdg.gogexycohunsds.net - GET /NaYUCP6bPt0N71JkysS0NkphV8-ILuKyZkjHskoIyRGKY0i7Dc-hTenqFN63rDkqg-8cLfZYgvU=

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-02 05:22:34 UTC - 64.120.207.245:80 - 192.168.204.195:49234 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-05-02 05:22:34 UTC - 64.120.207.245:80 - 192.168.204.195:49234 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1
• 2014-05-02 05:22:34 UTC - 192.168.204.195:49235 - 64.120.207.245:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-02 05:22:38 UTC - 64.120.207.245:80 - 192.168.204.195:49234 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-05-02-Angler-EK-traffic.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.