2015-05-18 - ANGLER EK SENDS BEDEP

PCAP AND MALWARE:

• ZIP of the pcaps:  2015-05-18-Angler-EK-traffic-pcaps.zip
• ZIP of the malware:  2015-05-18-Angler-EK-malware.zip

 

NOTES:

• Wasn't able to decrypt the malware payload... The zip file only contains the landing pages and Flash exploits extracted from the pcap files.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 178.63.174.158 port 80 - damniam-metempir.rahmatcosmetics.com - Angler EK (first example)
• 178.63.174.157 port 80 - abrufauftrage.whitetigercommunications.com - Angler EK (second example)
• 95.211.230.75 port 80 - ljuaitsubak9.com - post-infection traffic
• 50.63.202.37 port 80 - pzmavjxomlsplypiq7.com - post-infection traffic
• 148.251.161.139 port 80 - ourritjuuayylc.com - post-infection traffic
• 178.63.195.249 port 80 - jeep.cheapest-clothes.co.uk - post-infection traffic (first example)
• 178.63.195.250 port 80 - join.cheapestclothes.co.uk - post-infection traffic (second example)
• 128.199.96.35 port 80 - cwtzqtgzeuvcfkpodr.comk - post-infection traffic
• 128.199.96.35 port 80 - pzmavjxomlsplypiq7.comk - post-infection traffic
• 166.78.144.80 port 80 - pougitxdnkpqitd6q.comk - post-infection traffic
• 95.211.202.33 port 80 - hershipoladous.com - click-fraud traffic begins (first example)
• 88.198.218.89 port 80 - kooperinitialsdor.com - click-fraud traffic begins (first example)
• 162.244.34.140 port 80 - nailsartsdesfuture.com - click-fraud traffic begins (first example)
• 162.244.34.39 port 80 - koregahot.com - click-fraud traffic begins (first example)

 

FIRST EXAMPLE:

• 2015-05-18 00:48:24 UTC - damniam-metempir.rahmatcosmetics.com - GET /delineates-disconsolate-humps-mathematically/222547646503185970
• 2015-05-18 00:48:26 UTC - damniam-metempir.rahmatcosmetics.com - GET /OA1pECqPrRVqZF1Na5k0b3hDBVUk1GedCQTCXx8Z4j11iEDl
• 2015-05-18 00:48:31 UTC - damniam-metempir.rahmatcosmetics.com - GET /zqsajUTtWoRzW7QeAzyQc97x-sBPuLISgFKN2nP9iuZnLpKA
• 2015-05-18 00:48:32 UTC - www.earthtools.org - POST /timezone/0/0
• 2015-05-18 00:48:33 UTC - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-18 00:48:34 UTC - ljuaitsubak9.com - POST /forum.php
• 2015-05-18 00:48:41 UTC - ljuaitsubak9.com - POST /include/class_dm_forum.php
• 2015-05-18 00:48:47 UTC - ljuaitsubak9.com - POST /include/class_dm_blog.php
• 2015-05-18 00:48:47 UTC - DNS query for: pougitxdnkpqitd6q.com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: nldgwauowbxbi1t.com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: kvgtnxrnrzuynm0d.com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: qnguehfwbsgy.com   [Server response: No such name]
• 2015-05-18 00:48:47 UTC - DNS query for: bvxhlumcdmzr2i.com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: drmozrqfads4i.com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: jdwakqatysqk6.com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: dkhfidzqyvrgsoo1.com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: gvdrblxqayqas.com   [Server response: No such name]
• 2015-05-18 00:48:48 UTC - DNS query for: slyonxonqvhr8l.com   [Server response: No such name]
• 2015-05-18 00:48:49 UTC - pzmavjxomlsplypiq7.com - POST /widget.php
• 2015-05-18 00:49:00 UTC - pzmavjxomlsplypiq7.com - POST /postings.php
• 2015-05-18 00:49:00 UTC - pzmavjxomlsplypiq7.com - GET /site.aspx?aspxerrorpath=/default.aspx
• 2015-05-18 00:49:09 UTC - pzmavjxomlsplypiq7.com - POST /showthread.php
• 2015-05-18 00:49:10 UTC - pzmavjxomlsplypiq7.com - GET /site.aspx?aspxerrorpath=/default.aspx
• 2015-05-18 00:49:10 UTC - DNS query for: igzutnruxtnf.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: cifmwpkutbenrngf.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: weflinefodxfple.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: gkhllkaxdzdi9i.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: ksirtlnhlcmpsefqn.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: brfhpqjwrxwlu2.com   [Server response: No such name]
• 2015-05-18 00:49:11 UTC - DNS query for: virkazwenainsocj.com   [Server response: No such name]
• 2015-05-18 00:49:12 UTC - ourritjuuayylc.com - POST /profile.php
• 2015-05-18 00:49:21 UTC - ourritjuuayylc.com - POST /asset.php
• 2015-05-18 00:49:26 UTC - jeep.cheapest-clothes.co.uk - POST /news.php HTTP/1.0
• 2015-05-18 00:49:37 UTC - ourritjuuayylc.com - POST /include/class_dm_blog_category.php
• 2015-05-18 00:50:21 UTC - ourritjuuayylc.com - POST /blog.php
• 2015-05-18 00:50:48 UTC - ourritjuuayylc.com - POST /include/database_error_page.html
• 2015-05-18 00:51:05 UTC - ourritjuuayylc.com - POST /include/class_dm_event.php
• 2015-05-18 00:51:26 UTC - hershipoladous.com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - kooperinitialsdor.com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - nailsartsdesfuture.com - GET /ads.php?sid=1923
• 2015-05-18 00:51:26 UTC - koregahot.com - GET /ads.php?sid=1923

 

SECOND EXAMPLE:

• 2015-05-18 17:37:09 UTC - abrufauftrage.whitetigercommunications.com - GET /personification_rubberstamped_narrations_totalitarian/239529191537335005
• 2015-05-18 17:37:11 UTC - abrufauftrage.whitetigercommunications.com - GET /IcluLIR_WERIkHajs3BZN0cjpFxZ1IUxL7RNTMezCeWgsn1T
• 2015-05-18 17:37:12 UTC - abrufauftrage.whitetigercommunications.com - GET /7wN3QtlhwuulgR6owMC76W3XUNK7pzI7nNnKtDEA2janK8aC
• 2015-05-18 17:37:24 UTC - www.earthtools.org - POST /timezone/0/0
• 2015-05-18 17:37:24 UTC - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-18 17:37:26 UTC - DNS query for: gvdrblxqayqas.com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: igzutnruxtnf.com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: gkhllkaxdzdi9i.com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: virkazwenainsocj.com   [Server response: No such name]
• 2015-05-18 17:37:26 UTC - DNS query for: hmvqrosylwkmfibj.com   [Server response: No such name]
• 2015-05-18 17:37:27 UTC - cwtzqtgzeuvcfkpodr.com - POST /forum.php
• 2015-05-18 17:37:34 UTC - cwtzqtgzeuvcfkpodr.com - POST /xmlsitemap.php
• 2015-05-18 17:37:44 UTC - cwtzqtgzeuvcfkpodr.com - POST /include/functions_databuild.php
• 2015-05-18 17:37:44 UTC - DNS query for: utapairnxofvro20.com   [Server response: No such name]
• 2015-05-18 17:37:44 UTC - DNS query for: nldgwauowbxbi1t.com   [Server response: No such name]
• 2015-05-18 17:37:44 UTC - DNS query for: bvxhlumcdmzr2i.com   [Server response: No such name]
• 2015-05-18 17:37:45 UTC - DNS query for: dkhfidzqyvrgsoo1.com   [Server response: No such name]
• 2015-05-18 17:37:45 UTC - pzmavjxomlsplypiq7.com - POST /include/functions_legacy.php
• 2015-05-18 17:37:54 UTC - pzmavjxomlsplypiq7.com - POST /register.php
• 2015-05-18 17:38:02 UTC - pzmavjxomlsplypiq7.com - POST /showpost.php
• 2015-05-18 17:38:03 UTC - DNS query for: weflinefodxfple.com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: brfhpqjwrxwlu2.com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: wqudmudgtdmhoxo.com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: fvfecxmewilwxvp3.com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - DNS query for: butwmiaphhfj70.com   [Server response: No such name]
• 2015-05-18 17:38:03 UTC - pougitxdnkpqitd6q.com - POST /showpost.php
• 2015-05-18 17:38:13 UTC - pougitxdnkpqitd6q.com - POST /include/blog_functions.php
• 2015-05-18 17:38:42 UTC - pougitxdnkpqitd6q.com - POST /include/functions_facebook.php
• 2015-05-18 17:39:09 UTC - pougitxdnkpqitd6q.com - POST /groupsubscription.php
• 2015-05-18 17:39:19 UTC - pougitxdnkpqitd6q.com - POST /widget.php
• 2015-05-18 17:39:19 UTC - DNS query for: qnguehfwbsgy.com   [Server response: No such name]
• 2015-05-18 17:39:19 UTC - DNS query for: jdwakqatysqk6.com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: slyonxonqvhr8l.com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: cifmwpkutbenrngf.com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - DNS query for: ksirtlnhlcmpsefqn.com   [Server response: No such name]
• 2015-05-18 17:39:20 UTC - ourritjuuayylc.com - POST /include/class_database_slave.php
• 2015-05-18 17:39:27 UTC - ourritjuuayylc.com - POST /profile.php
• 2015-05-18 17:39:41 UTC - join.cheapestclothes.co.uk - POST /news.php
• 2015-05-18 17:39:46 UTC - ourritjuuayylc.com - POST /content.php

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcaps:  2015-05-18-Angler-EK-traffic-pcaps.zip
• ZIP of the malware:  2015-05-18-Angler-EK-malware.zip

Click here to return to the main page.