Malware-Traffic-Analysis.net - 2015-05-14 - Angler EK from 178.63.174.153

2015-05-14 - ANGLER EK FROM 178.63.174.153 - SENDS BEDEP & NECURS

PCAP FILE:

ASSOCIATED DOMAINS:

185.14.30.218 port 80 - web.speeding-tricks.com - Redirect/gate
178.63.174.153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter.com - Angler EK
208.113.226.171 port 80 - www.earthtools.org - post-infection check by the malware [not inherently malicious]
104.72.249.234 port 80 - www.ecb.europa.eu - post-infection check by the malware [not inherently malicious]
95.211.230.75 port 80 - ljuaitsubak9.com - post-infection traffic
148.251.161.139 port 80 - ourritjuuayylc.com - post-infection traffic
77.123.137.221 port 80 - 77.123.137.221 - post-infection traffic
various domains and IP addresses - other post-infection UDP traffic and DNS queries

REDIRECT/GATE:

2015-05-15 13:23:39 UTC - 192.168.122.196 port 49250 - 185.14.30.218 port 80 - web.speeding-tricks.com - GET /js/script.js

ANGLER EK:

2015-05-15 13:23:39 UTC - 192.168.122.196 port 49258 - 178.63.174.153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter.com -
GET /bobcat-retainers-twanging-robot/552569844392477911

2015-05-15 13:23:41 UTC - 192.168.122.196 port 49258 - 178.63.174.153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter.com -
GET /SUyGed2Q74uIS1WWeQ1MIuhSR10JD72ZAbJWl7d5h2_gV1xH

2015-05-15 13:23:43 UTC - 192.168.122.196 port 49277 - 178.63.174.153 port 80 - erroroutvoorschrijven.belmontflooringanddesigncenter.com -
GET /TPTxsGUpzR2DZFuACCWQ9UwYVL54-9G5M3nfBJm5QhDykkpK

POST-INFECTION HTTP TRAFFIC:

2015-05-15 13:23:48 UTC - 192.168.122.196 port 49281 - 208.113.226.171 port 80 - www.earthtools.org - POST /timezone/0/0
2015-05-15 13:23:48 UTC - 192.168.122.196 port 49285 - 104.72.249.234 port 80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

2015-05-15 13:23:49 UTC - DNS query for: kvgtnxrnrzuynm0d.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: wqudmudgtdmhoxo.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: gvdrblxqayqas.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: butwmiaphhfj70.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: gkhllkaxdzdi9i.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: qnguehfwbsgy.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: hmvqrosylwkmfibj.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: slyonxonqvhr8l.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: utapairnxofvro20.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: ksirtlnhlcmpsefqn.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: bvxhlumcdmzr2i.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: ixxqbtonmbi6u.com [server reply: No such name]
2015-05-15 13:23:50 UTC - DNS query for: pzmavjxomlsplypiq7.com [server reply: No such name]

2015-05-15 13:23:50 UTC - 192.168.122.196 port 49287 - 95.211.230.75 port 80 - ljuaitsubak9.com - POST /album.php
2015-05-15 13:23:56 UTC - 192.168.122.196 port 49287 - 95.211.230.75 port 80 - ljuaitsubak9.com - POST /attachment.php
2015-05-15 13:24:02 UTC - 192.168.122.196 port 49287 - 95.211.230.75 port 80 - ljuaitsubak9.com - POST /calendar.php

2015-05-15 13:24:02 UTC - DNS query for: brfhpqjwrxwlu2.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: drmozrqfads4i.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: fvfecxmewilwxvp3.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: igzutnruxtnf.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: pougitxdnkpqitd6q.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: virkazwenainsocj.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: jdwakqatysqk6.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: cwtzqtgzeuvcfkpodr.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: cifmwpkutbenrngf.com [server reply: No such name]
2015-05-15 13:24:02 UTC - DNS query for: nldgwauowbxbi1t.com [server reply: No such name]

2015-05-15 13:24:03 UTC - 192.168.122.196 port 49288 - 148.251.161.139 port 80 - ourritjuuayylc.com - POST /newthread.php
2015-05-15 13:24:17 UTC - 192.168.122.196 port 49288 - 148.251.161.139 port 80 - ourritjuuayylc.com - POST /include/class_ajax_output.php

2015-05-15 13:24:19 UTC - DNS query for: aydpyqwapbf.com [server reply: No such name]
2015-05-15 13:24:19 UTC - DNS query for: lluynjlttkn.com [server reply: No such name]
2015-05-15 13:24:19 UTC - DNS query for: ygohrvahvz.com [server reply: No such name]
2015-05-15 13:24:19 UTC - DNS query for: juykjtapjiqv.com [server reply: No such name]
2015-05-15 13:24:22 UTC - DNS query for: npkxghmoru.biz [server reply: No such name]

2015-05-15 13:24:28 UTC - 192.168.122.196 port 49288 - 148.251.161.139 port 80 - ourritjuuayylc.com - POST /include/functions_banning.php

2015-05-15 13:24:29 UTC - 192.168.122.196 port 24573 - 194.33.104.30 port 10088 - UDP traffic
2015-05-15 13:24:34 UTC - 192.168.122.196 port 24573 - 94.78.188.232 port 6191 - UDP traffic
2015-05-15 13:24:34 UTC - 94.78.188.232 port 6191 - 192.168.122.196 port 24573 - UDP traffic
2015-05-15 13:24:39 UTC - 192.168.122.196 port 24573 - 190.53.239.144 port 12903 - UDP traffic
2015-05-15 13:24:54 UTC - 192.168.122.196 port 24573 - 200.86.100.44 port 27121 - UDP traffic
2015-05-15 13:24:59 UTC - 192.168.122.196 port 24573 - 109.105.8.176 port 4524 - UDP traffic

2015-05-15 13:25:06 UTC - 192.168.122.196 port 49295 - 77.123.137.221 port 80 - 77.123.137.221 - POST /forum/db.php
2015-05-15 13:25:07 UTC - 192.168.122.196 port 49295 - 77.123.137.221 port 80 - 77.123.137.221 - POST /forum/db.php

2015-05-15 13:25:38 UTC - 192.168.122.196 port 24573 - 201.248.116.29 port 12479 - UDP traffic
2015-05-15 13:25:43 UTC - 192.168.122.196 port 24573 - 190.200.224.88 port 21829 - UDP traffic

2015-05-15 13:25:47 UTC - DNS query for: jectfjpcluott.com [server reply: No such name]
2015-05-15 13:25:47 UTC - DNS query for: etsopayakyzptdu.com [server reply: No such name]
2015-05-15 13:25:47 UTC - DNS query for: hkaugimskbyn.com [server reply: No such name]
2015-05-15 13:25:47 UTC - DNS query for: qysmtmsumgyrec.com [server reply: No such name]

2015-05-15 13:25:53 UTC - 192.168.122.196 port 24573 - 190.188.58.82 port 4290 - UDP traffic
2015-05-15 13:25:58 UTC - 192.168.122.196 port 24573 - 190.17.205.123 port 13495 - UDP traffic
2015-05-15 13:26:08 UTC - 192.168.122.196 port 24573 - 89.215.49.91 port 4678 - UDP traffic
2015-05-15 13:26:13 UTC - 192.168.122.196 port 24573 - 176.100.211.173 port 13065 - UDP traffic

2015-05-15 13:26:18 UTC - 192.168.122.196 port 49162 - 77.123.137.221 port 80 - 77.123.137.221 - POST /forum/db.php

2015-05-15 13:27:23 UTC - 192.168.122.196 port 24573 - 37.156.119.198 port 23129 - UDP traffic
2015-05-15 13:28:23 UTC - 192.168.122.196 port 24573 - 24.138.249.99 port 15909 - UDP traffic
2015-05-15 13:31:23 UTC - 192.168.122.196 port 24573 - 148.226.51.196 port 19911 - UDP traffic
2015-05-15 13:32:23 UTC - 192.168.122.196 port 24573 - 98.30.20.55 port 12983 - UDP traffic
2015-05-15 13:35:23 UTC - 192.168.122.196 port 24573 - 165.132.86.40 port 9937 - UDP traffic
2015-05-15 13:36:23 UTC - 192.168.122.196 port 24573 - 212.5.34.216 port 11725 - UDP traffic
2015-05-15 13:38:23 UTC - 192.168.122.196 port 24573 - 78.128.48.253 port 21242 - UDP traffic
2015-05-15 13:42:23 UTC - 192.168.122.196 port 24573 - 132.147.19.87 port 4834 - UDP traffic
2015-05-15 13:43:23 UTC - 192.168.122.196 port 24573 - 190.201.29.114 port 8166 - UDP traffic

Once again, here's the pcap:

Click here to return to the main page.