2015-03-27 - ANGLER EK AND MAGNITUDE EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-03-27-Angler-and-Magnitude-EK-traffic.pcap.zip
• 2015-03-27-Magnitude-EK-traffic.pcap.zip
• 2015-03-27-Angler-and-Magnitude-EK-malware.zip

NOTES:

• Got Angler EK pushing Bedep, and during the click-fraud traffic, saw Magnitude EK.
• Did a separate infection for Magnitude, based on the first pcap.
• Location of malware from the Angler EK infection - C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\apphelp.dll
• Saw CryptoWall 3.0 ransomware from the Magnitude EK infection - Bitcoin address for ransomware payment:  191Bc2rYKu99G1nQ5WhDMy55u8tXm31vAP

 

ADDITIONAL INFO

DOMAINS FROM FIRST PCAP (ANGLER EK AND MAGNITUDE EK):

• 188.138.68[.]234  --  kiyoshi.noahsbootandshoerepair[.]com  --  Angler EK
• www.earthtools[.]org  --  Not malicious, just malware checking for connectivity & location
• www.ecb.europa[.]eu  --  Not malicious, just malware checking for connectivity & location
• 85.25.104[.]159  --  wrzvmyfzckdgcij4[.]com  --  post-infection traffic
• 188.138.25[.]46  --  fasion.arunthati[.]co[.]uk  --  post-infection traffic
• 78.46.107[.]218  --  geeksdronesfamily[.]net  --  post-infection traffic
• 85.25.107[.]67  --  sandsofafrica[.]net  --  post-infection traffic
• 162.244.34[.]133  --  koreandust[.]com  --  post-infection traffic
• 78.46.107[.]218  --  geeksdronesfamily[.]net  --  post-infection traffic
• 85.25.107[.]67  --  sandsofafrica[.]net  --  post-infection traffic
• 184.164.143[.]90  --  184.164.143[.]90  --  post-infection traffic
• 188.227.165[.]22  --  popularfinance[.]me  --  post-infection traffic
• 136.243.241[.]27  --  f5dba.c6.0dcee20.d3.0d7f.0ae3.11eaa.810.yy0w6j4j.changesmoves[.]in  --  Magnitude EK triggered by popularfinance[.]me

DOMAINS FROM THE SECOND PCAP (MAGNITUDE ONLY):

• 188.227.165[.]22 port 80  --  popularfinance[.]me  --  Compromised site
• 136.243.241[.]27 port 80  --  bf29df.e66.83.1c.3d8a.54.1393d.bc7dc6b.6.scg512374t1.changesmoves[.]in  --  Magnitude EK
• 75.127.68[.]66 port 80  --  plushandmore[.]com  --  CryptoWall 3.0 ransomware post-infection traffic
• 103.18.4[.]191 port 80  --  pianogiare[.]com  --  CryptoWall 3.0 ransomware post-infection traffic
• 151.80.179[.]211 port 80  --  paytoc4gtpn5czl2.optionstopaytos[.]com  --  CryptoWall 3.0 ransomware post-infection traffic
• 62.109.7[.]65 port 443  --  umz99[.]ru  --  HTTPS traffic caused by other Magnitude EK payload.
• 82.146.54[.]]155 port 80  --  somethinnew[.]ru - GET/run.exe (Simda download)
• 94.242.253[.]106  --  report.uoce17k3y79o1oce[.]com  --  post-infection Simda traffic
• 94.242.253[.]106  --  update1.g8b20e5akez5w[.]com  --  post-infection Simda traffic
• 94.242.253[.]106  --  update1.gs9gow35rq[.]com  --  post-infection Simda traffic
• 217.23.6[.]131  --  report.a7931793wsku1myw[.]com  --  post-infection Simda traffic
• 217.23.6[.]131  --  report.uoce17k3y79o1oce[.]com  --  post-infection Simda traffic

 

Click here to return to the main page.