2015-04-01 - ANGLER EK FROM 209.126.113.76

ASSOCIATED FILES:

• ZIP of the pcap:  2015-04-01-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-04-01-Angler-EK-malware.zip

 

NOTES

SOME OF THE DIRECTORIES AND FILES CREATED FROM THE INFECTION:

• C:\ProgramData\Windows Genuine Advantage\{F300DD14-DC01-4656-8515-B5C2952A621E}
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\d3d10core.dll
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\qmuqquma.tmp (0 bytes)

 

SPOME OF THE REGISTRY KEYS CREATED OR UPDATED:

• HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
• HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

 

ASSOCIATED DOMAINS:

• 209.126.113.76 port 80 - inspirablebacktenter.modernlifestyle.com - Angler EK

 

ANGLER EK:

• 2015-04-01 11:51:28 UTC - inspirablebacktenter.modernlifestyle.com - GET /pions_fingertips_rebuff/8057907058341
• 2015-04-01 11:51:30 UTC - inspirablebacktenter.modernlifestyle.com - GET /3R6sqI6COwSVqj-FeU2X7WK5qWYlpQskmTr-ivR7ZSZuIbap
• 2015-04-01 11:51:38 UTC - inspirablebacktenter.modernlifestyle.com - HEAD /9Oj96BjEJ7Rpe-CuvXMl_DVaDQFeQV53vYrJekoio1vi9dIc
• 2015-04-01 11:51:39 UTC - inspirablebacktenter.modernlifestyle.com - GET /9Oj96BjEJ7Rpe-CuvXMl_DVaDQFeQV53vYrJekoio1vi9dIc

 

POST-INFECTION TRAFFIC:

• 2015-04-01 11:51:34 UTC - 208.113.226.171 port 80 - www.earthtools.org - POST /timezone/0/0
• 2015-04-01 11:51:35 UTC - 23.207.50.209 port 80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-04-01 11:51:37 UTC - 85.25.104.159 port 80 - gnghofvqgfescuijcv.com - POST /   [repeats]
• 2015-04-01 11:51:48 UTC - 188.138.25.40 port 80 - grow.woodzydesign.co.uk - POST /news.php
• 2015-04-01 11:51:59 UTC - 85.25.104.159 port 80 - gnghofvqgfescuijcv.com - POST /

 

CLICK-FRAUD (FAKE SEARCH) TRAFFIC BEGINS:

• 2015-04-01 11:54:41 UTC - 46.105.248.104 port 80 - protectobnoxiousefficacious.com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 162.244.34.133 port 80 - delbopoera.com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 85.25.107.67 port 80 - warheroescraft.com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 78.46.107.218 port 80 - jeloyramkis.com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 162.244.34.133 port 80 - delbopoera.com - GET /ads.php?sid=1923
• 2015-04-01 11:54:41 UTC - 78.46.107.218 port 80 - jeloyramkis.com - GET /ads.php?sid=1923

 

SEE THE PCAP FOR MORE DETAILS:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-04-01-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-04-01-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.