2015-06-01 - ANGLER EK FROM 94.242.198.222 SENDS BEDEP AND NECURS

PCAP AND MALWARE:

• ZIP of the traffic:  2015-06-01-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-06-01-Angler-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 89.39.144.155 port 80 - id.geloukodj.com.br - Redirect to Angler EK
• 94.242.198.222 port 80 - adiotoiminnandacqmine.visionsource-parklandeye.com - Angler EK
• 195.22.26.252 port 80 - pyprhimzkonw4.com - Post-infection traffic
• 195.22.26.248 port 80 - sso.anbtr.com - Post-infection traffic
• 195.22.26.231 port 80 - xsso.pyprhimzkonw4.com - Post-infection traffic
• 209.133.201.35 port 80 - cdxnzcdxzcjgmeoef1.com - Post-infection traffic
• 212.47.214.114 port 80 - 212.47.214.114 - Post-infection traffic
• 91.200.14.56 port 80 - 91.200.14.56 - Post-infection traffic

 

REDIRECT:

• 2015-06-01 15:15:28 UTC - id.geloukodj.com.br - GET /js/view.js

 

ANGLER EK:

• 2015-06-01 15:15:30 UTC - adiotoiminnandacqmine.visionsource-parklandeye.com - GET /forger-fatuous-roguish-guideline/659172933259539858
• 2015-06-01 15:15:33 UTC - adiotoiminnandacqmine.visionsource-parklandeye.com - GET /gwiFLyVtcw6ZYF4x4KigUs1TDcedTHxYlIWUPXnEMLlRsSe7.cpp
• 2015-06-01 15:15:36 UTC - adiotoiminnandacqmine.visionsource-parklandeye.com - GET /bRh_U6LsInmcwWljobpH117iR0iyihSfT-vzOhHIkMaFM1ro.py

 

POST-INFECTION TRAFFIC:

• 2015-06-01 15:15:39 UTC - www.earthtools.org - GET /timezone-1.1/-58.44478/-41.3294
• 2015-06-01 15:15:40 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?0051d1ec6ed6f339cf3eec7e677c95f3
• 2015-06-01 15:15:41 UTC - DNS query for: vavdaouetagxdvxu5l.com (response: No such name)
• 2015-06-01 15:15:41 UTC - DNS query for: ucnoqdmssax1.com (no content in the response)
• 2015-06-01 15:15:42 UTC - pyprhimzkonw4.com - POST /calendar.php
• 2015-06-01 15:15:43 UTC - sso.anbtr.com - GET /domain/pyprhimzkonw4.com
• 2015-06-01 15:15:45 UTC - xsso.pyprhimzkonw4.com - GET /5f1a39f4435c6b11a454881da415821a
• 2015-06-01 15:15:45 UTC - DNS query for: oglntfpvurtpmpaa8a.com (response: No such name)
• 2015-06-01 15:15:46 UTC - cdxnzcdxzcjgmeoef1.com - POST /include/functions_misc.php
• 2015-06-01 15:15:48 UTC - cdxnzcdxzcjgmeoef1.com - POST /css.php
• 2015-06-01 15:15:54 UTC - DNS query for: aiaegkalecu.com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: ifkbmlatjdyl.com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: beuadpchlg.com (response: No such name)
• 2015-06-01 15:15:54 UTC - DNS query for: ajzwrnjljj.com (response: No such name)
• 2015-06-01 15:15:55 UTC - DNS query for: npkxghmoru.biz (response: No such name)
• 2015-06-01 15:15:57 UTC - local_host port 15511 - 186.22.9.31 port 18323 - UDP traffic (no return traffic)
• 2015-06-01 15:16:02 UTC - local_host port 15511 - 188.254.241.115 port 20164 - UDP traffic (return traffic noted)
• 2015-06-01 15:16:08 UTC - 190.195.47.32 port 18206 - Attempted TCP connection (no response from server)
• 2015-06-01 15:16:12 UTC - POST /include/blog_functions_category.php
• 2015-06-01 15:16:13 UTC - local_host port 15511 - 24.227.28.51 port 24853 - UDP traffic (no return traffic)
• 2015-06-01 15:16:18 UTC - 190.18.87.208 port 20828 - TCP connection (full connection with some data sent)
• 2015-06-01 15:16:19 UTC - 212.47.214.114 - POST /forum/db.php
• 2015-06-01 15:16:21 UTC - 212.47.214.114 - POST /forum/db.php
• 2015-06-01 15:16:22 UTC - 212.47.214.114 - POST /forum/db.php
• 2015-06-01 15:16:55 UTC - local_host port 15511 - 93.103.215.198 port 15695 - UDP traffic (no return traffic)
• 2015-06-01 15:17:00 UTC - local_host port 15511 - 31.211.143.114 port 10160 - UDP traffic (no return traffic)
• 2015-06-01 15:17:05 UTC - local_host port 15511 - 79.121.98.40 port 6111 - UDP traffic (no return traffic)
• 2015-06-01 15:17:08 UTC - DNS query for: uqqknpieev.com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: ugnsbjeintulo.com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: ifqabglescmgkt.com (response: No such name)
• 2015-06-01 15:17:08 UTC - DNS query for: oijnbeaufrfp.com (response: No such name)
• 2015-06-01 15:17:10 UTC - local_host port 15511 - 186.126.177.150 port 21238 - Attempted TCP connection (no response from server)
• 2015-06-01 15:17:15 UTC - local_host port 15511 - 1190.207.130.229 port 25720- Attempted TCP connection (no response from server)
• 2015-06-01 15:17:20 UTC - local_host port 15511 - 178.84.253.121 port 10926 - UDP traffic (no return traffic)
• 2015-06-01 15:17:25 UTC - local_host port 15511 - 1194.63.137.41 port 28448 - UDP traffic (no return traffic)
• 2015-06-01 15:17:30 UTC - local_host port 15511 - 146.186.89.63 port 8304 - UDP traffic (no return traffic)
• 2015-06-01 15:17:35 UTC - local_host port 15511 - 195.34.249.92 port 23728 - UDP traffic (no return traffic)
• 2015-06-01 15:17:40 UTC - local_host port 15511 - 1177.143.83.122 port 32417 - UDP traffic (no return traffic)
• 2015-06-01 15:17:45 UTC - 190.201.58.232 port 13972 - Attempted TCP connection (no response from server)
• 2015-06-01 15:17:50 UTC - 132.248.123.242 port 21300 - TCP connection (full connection with some data sent)
• 2015-06-01 15:17:55 UTC - local_host port 15511 - 1201.213.18.53 port 8978 - UDP traffic (no return traffic)
• 2015-06-01 15:17:59 UTC - 91.200.14.56 - POST /forum/db.php
• 2015-06-01 15:19:00 UTC - local_host port 15511 - 1200.111.157.37 port 25695 - UDP traffic (no return traffic)
• 2015-06-01 15:20:00 UTC - local_host port 15511 - 1161.200.48.58 port 28639 - UDP traffic (no return traffic)
• 2015-06-01 15:21:00 UTC - local_host port 15511 - 1190.73.136.237 port 14012 - UDP traffic (no return traffic)
• 2015-06-01 15:23:00 UTC - local_host port 15511 - 124.232.56.88 port 16934 - UDP traffic (no return traffic)
• 2015-06-01 15:24:00 UTC - local_host port 15511 - 1181.44.144.33 port 14637 - UDP traffic (no return traffic)
• 2015-06-01 15:25:00 UTC - local_host port 15511 - 188.151.149.156 port 31848 - UDP traffic (no return traffic)
• 2015-06-01 15:26:00 UTC - local_host port 15511 - 1188.173.243.171 port 20398 - UDP traffic (no return traffic)
• 2015-06-01 15:27:00 UTC - local_host port 15511 - 1190.198.35.33 port 12395 - UDP traffic (no return traffic)

 

MALWARE

MALWARE FOUND ON THE INFECTED HOST:

• C:\Windows\Installer\{210B6B18-0073-9AD2-DD27-B088BCE89303}\syshost.exe
• C:\Windows\System32\Drivers\fd68341857c90b6b.sys

 

REGISTRY KEYS RELATED TO MALWARE ON THE INFECTED HOST:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FD68341857C90B6B\0000 - Service - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FD68341857C90B6B\0000\Control - ActiveService - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FD68341857C90B6B\0000 - Service - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FD68341857C90B6B\0000\Control - ActiveService - REG_SZ - fd68341857c90b6b
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fd68341857c90b6b

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-06-01-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-06-01-Angler-EK-malware-and-artifacts.zip

Click here to return to the main page.