2015-03-27 - ANGLER EK AND MAGNITUDE EK

ASSOCIATED FILES:

• ZIP of pcap:  2015-03-27-Angler-and-Magnitude-EK-traffic.pcap.zip
• ZIP of pcap:  2015-03-27-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2015-03-27-Angler-and-Magnitude-EK-malware.zip

NOTES:

• Got Angler EK pushing Bedep, and during the click-fraud traffic, saw Magnitude EK.
• Did a separate infection for Magnitude, based on the first pcap.
• Location of malware from the Angler EK infection - C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\apphelp.dll
• CryptoWall 3.0 from the Magnitude EK infection - Bitcoin address for ransomware payment:  191Bc2rYKu99G1nQ5WhDMy55u8tXm31vAP

 

ADDITIONAL INFO

DOMAINS FROM FIRST PCAP (ANGLER AND MAGNITUDE):

• 188.138.68.234  --  kiyoshi.noahsbootandshoerepair.com  --  Angler EK
• www.earthtools.org  --  Not malicious, just malware checking for connectivity & location
• www.ecb.europa.eu  --  Not malicious, just malware checking for connectivity & location
• 85.25.104.159  --  wrzvmyfzckdgcij4.com  --  post-infection traffic
• 188.138.25.46  --  fasion.arunthati.co.uk  --  post-infection traffic
• 78.46.107.218  --  geeksdronesfamily.net  --  post-infection traffic
• 85.25.107.67  --  sandsofafrica.net  --  post-infection traffic
• 162.244.34.133  --  koreandust.com  --  post-infection traffic
• 78.46.107.218  --  geeksdronesfamily.net  --  post-infection traffic
• 85.25.107.67  --  sandsofafrica.net  --  post-infection traffic
• 184.164.143.90  --  184.164.143.90  --  post-infection traffic
• 188.227.165.22  --  popularfinance.me  --  post-infection traffic
• 136.243.241.27  --  f5dba.c6.0dcee20.d3.0d7f.0ae3.11eaa.810.yy0w6j4j.changesmoves.in  --  Magnitude EK triggered by popularfinance.me

DOMAINS FROM THE SECOND PCAP (MAGNITUDE ONLY):

• 188.227.165.22 port 80  --  popularfinance.me  --  Compromised site
• 136.243.241.27 port 80  --  bf29df.e66.83.1c.3d8a.54.1393d.bc7dc6b.6.scg512374t1.changesmoves.in  --  Magnitude EK
• 75.127.68.66 port 80  --  plushandmore.com  --  CryptoWall 3.0 post-infection traffic
• 103.18.4.191 port 80  --  pianogiare.com  --  CryptoWall 3.0 post-infection traffic
• 151.80.179.211 port 80  --  paytoc4gtpn5czl2.optionstopaytos.com  --  CryptoWall 3.0 post-infection traffic
• 62.109.7.65 port 443  --  umz99.ru  --  HTTPS traffic caused by other Magnitude EK payload.
• 82.146.54.155 port 80  --  somethinnew.ru - GET/run.exe (Simda download)
• 94.242.253.106  --  report.uoce17k3y79o1oce.com  --  post-infection Simda traffic
• 94.242.253.106  --  update1.g8b20e5akez5w.com  --  post-infection Simda traffic
• 94.242.253.106  --  update1.gs9gow35rq.com  --  post-infection Simda traffic
• 217.23.6.131  --  report.a7931793wsku1myw.com  --  post-infection Simda traffic
• 217.23.6.131  --  report.uoce17k3y79o1oce.com  --  post-infection Simda traffic

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of pcap:  2015-03-27-Angler-and-Magnitude-EK-traffic.pcap.zip
• ZIP of pcap:  2015-03-27-Magnitude-EK-traffic.pcap.zip
• ZIP of the malware:  2015-03-27-Angler-and-Magnitude-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.