2015-05-26 - ANGLER EK SENDS BEDEP, HOST INFECTED WITH CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the traffic:  2015-05-26-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-05-26-Angler-EK-malware.zip

 

NOTES:

• Couldn't get a copy of CryptoWall 3.0 noted after Bedep, but the bitcoin address for ransom payment was: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

 

CHAIN OF EVENTS

ANGLER EK:

• 2015-05-26 15:17:16 UTC - 216.245.213.6 port 80 - ruimde.edibleair.com - GET /intensity-breton-liminal-nominally/232472044780593132
• 2015-05-26 15:17:19 UTC - 216.245.213.6 port 80 - ruimde.edibleair.com - GET /es8DbYZqDlhZCA-UvJVYyBc0ih3vmvyejfLOTfEznJ1bCa7I
• 2015-05-26 15:17:56 UTC - 216.245.213.6 port 80 - ruimde.edibleair.com - GET /WFzomlIySxhj6z039wS_bcxVN89t_ryYajlzzawCmnO22hE7

 

POST-INFECTION TRAFFIC RELATED TO BEDEP:

• 2015-05-26 15:17:56 UTC - 208.113.226.171 port 80 - www.earthtools.org - POST /timezone/0/0
• 2015-05-26 15:17:57 UTC - 23.67.91.134 port 80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2015-05-26 15:17:58 UTC - 195.22.26.254 port 80 - ubtwfamlqxkx2k.com - POST /index.php
• 2015-05-26 15:17:59 UTC - 195.22.26.248 port 80 - sso.anbtr.com - GET /domain/ubtwfamlqxkx2k.com
• 2015-05-26 15:18:00 UTC - 195.22.26.253 port 80 - xsso.ubtwfamlqxkx2k.com - GET /a40fad694189bdb31d8ea1b0bb495a3f
• 2015-05-26 15:18:05 UTC - 195.22.26.254 port 80 - ubtwfamlqxkx2k.com - POST /register.php
• 2015-05-26 15:18:12 UTC - 195.22.26.254 port 80 - ubtwfamlqxkx2k.com - POST /include/class_core.php
• 2015-05-26 15:18:13 UTC - 195.22.26.231 port 80 - cdizzmvsvdyok9.com - POST /include/blog_functions_main.php
• 2015-05-26 15:18:13 UTC - 195.22.26.248 port 80 - sso.anbtr.com - GET /domain/cdizzmvsvdyok9.com
• 2015-05-26 15:18:14 UTC - 195.22.26.231 port 80 - xsso.cdizzmvsvdyok9.com - GET /75b7438e59f0884285a9ecade2ed736d
• 2015-05-26 15:18:22 UTC - 195.22.26.231 port 80 - cdizzmvsvdyok9.com - POST /announcement.php
• 2015-05-26 15:18:31 UTC - 195.22.26.231 port 80 - cdizzmvsvdyok9.com - POST /album.php
• 2015-05-26 15:18:32 UTC - 195.22.26.231 port 80 - lvyzfhuejpufnwz5t.com - POST /include/functions_forumdisplay.php
• 2015-05-26 15:18:32 UTC - 195.22.26.248 port 80 - sso.anbtr.com - GET /domain/lvyzfhuejpufnwz5t.com
• 2015-05-26 15:18:33 UTC - 195.22.26.231 port 80 - xsso.lvyzfhuejpufnwz5t.com - GET /e3984fafdc813d99fa7fd2012a150cfd
• 2015-05-26 15:18:40 UTC - 195.22.26.231 port 80 - lvyzfhuejpufnwz5t.com - POST /postings.php
• 2015-05-26 15:18:50 UTC - 195.22.26.231 port 80 - lvyzfhuejpufnwz5t.com - POST /include/class_core.php
• 2015-05-26 15:18:51 UTC - 148.251.161.140 port 80 - jaadtmtkbojqcbakx.com - POST /include/functions_editor.php
• 2015-05-26 15:18:53 UTC - 148.251.161.140 port 80 - jaadtmtkbojqcbakx.com - POST /sendmessage.php
• 2015-05-26 15:19:16 UTC - 148.251.161.140 port 80 - jaadtmtkbojqcbakx.com - POST /showpost.php
• 2015-05-26 15:19:28 UTC - 148.251.161.140 port 80 - jaadtmtkbojqcbakx.com - POST /album.php
• 2015-05-26 15:19:29 UTC - 148.251.161.140 port 80 - jaadtmtkbojqcbakx.com - POST /include/class_dm_blog_rate.php

 

POST-INFECTION TRAFFIC RELATED TO CRYPTOWALL 3.0:

• 2015-05-26 15:18:56 UTC - 188.165.164.184 port 80 - ip-addr.es - GET /
• 2015-05-26 15:18:57 UTC - 81.88.48.113 port 80 - alebehr.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?w=gilufxt2m2p
• 2015-05-26 15:18:57 UTC - 146.255.46.1 port 80 - bebeamor.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=gilufxt2m2p
• 2015-05-26 15:19:01 UTC - 213.175.200.1 port 80 - awynnejoinery.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?d=gilufxt2m2p
• 2015-05-26 15:19:06 UTC - 184.168.47.225 port 80 - ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?r=gilufxt2m2p
• 2015-05-26 15:19:06 UTC - 213.186.33.50 port 80 - jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?n=gilufxt2m2p
• 2015-05-26 15:19:14 UTC - 81.88.48.113 port 80 - alebehr.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?k=mrce2lhhtd
• 2015-05-26 15:19:14 UTC - 146.255.46.1 port 80 - bebeamor.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=mrce2lhhtd
• 2015-05-26 15:19:19 UTC - 213.175.200.1 port 80 - awynnejoinery.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?x=mrce2lhhtd
• 2015-05-26 15:19:24 UTC - 184.168.47.225 port 80 - ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?a=mrce2lhhtd
• 2015-05-26 15:19:25 UTC - 213.186.33.50 port 80 - jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?y=mrce2lhhtd
• 2015-05-26 15:19:30 UTC - 81.88.48.113 port 80 - alebehr.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?m=c4k42pax9y88
• 2015-05-26 15:19:30 UTC - 146.255.46.1 port 80 - bebeamor.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?h=c4k42pax9y88
• 2015-05-26 15:19:32 UTC - 213.175.200.1 port 80 - awynnejoinery.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?m=c4k42pax9y88
• 2015-05-26 15:19:37 UTC - 184.168.47.225 port 80 - ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?v=c4k42pax9y88
• 2015-05-26 15:19:39 UTC - 213.186.33.50 port 80 - jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?p=c4k42pax9y88
• 2015-05-26 15:20:07 UTC - 81.88.48.113 port 80 - alebehr.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?n=h9u63z9yg7yl
• 2015-05-26 15:20:07 UTC - 146.255.46.1 port 80 - bebeamor.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?r=h9u63z9yg7yl
• 2015-05-26 15:20:09 UTC - 213.175.200.1 port 80 - awynnejoinery.co.uk - POST /wp-content/plugins/revslider/temp/update_extract/revsliderz/img3.php?i=h9u63z9yg7yl
• 2015-05-26 15:20:15 UTC - 184.168.47.225 port 80 - ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?m=h9u63z9yg7yl
• 2015-05-26 15:20:16 UTC - 213.186.33.50 port 80 - jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41
  /img3.php?g=h9u63z9yg7yl
• 2015-05-26 15:20:22 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /1kwN8ko
• 2015-05-26 15:20:26 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/style.css
• 2015-05-26 15:20:29 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/us.png
• 2015-05-26 15:20:29 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/fr.png
• 2015-05-26 15:20:30 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rb.png
• 2015-05-26 15:20:30 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/es.png
• 2015-05-26 15:20:30 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /picture.php?k=1kwn8ko&171b11da066a408f7526ec7cf078d42c
• 2015-05-26 15:20:30 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rt.png
• 2015-05-26 15:20:33 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/it.png
• 2015-05-26 15:20:33 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/de.png
• 2015-05-26 15:20:33 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lt.png
• 2015-05-26 15:20:33 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lb.png
• 2015-05-26 15:20:36 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /favicon.ico
• 2015-05-26 15:20:39 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - POST /1kwN8ko
• 2015-05-26 15:20:43 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/style.css
• 2015-05-26 15:20:47 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/bitcoin.png
• 2015-05-26 15:20:47 UTC - 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/button_pay.png

 

CLICK FRAUD TRAFFIC BEGINS:

• 2015-05-26 15:20:55 UTC - 162.244.34.140 port 80 - jiujitsukarate.com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 95.211.202.33 port 80 - jerorefest.com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 151.80.254.180 port 80 - operlmospo4yt.com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 162.244.34.39 port 80 - jertadopoeremo.com - GET /ads.php?sid=1911
• 2015-05-26 15:20:55 UTC - 88.198.218.89 port 80 - kooperinitialsdor.com - GET /ads.php?sid=1911

 

MALWARE

MALWARE FOUND ON THE INFECTED HOST:

• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a (encrypted or otherwise obfuscated)
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\twain_32.dll (Bedep)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-05-26-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-05-26-Angler-EK-malware.zip

Click here to return to the main page.