Malware-Traffic-Analysis.net - 2015-06-15 - Angler EK from 46.4.235.3 sends Bedep

2015-06-15 - ANGLER EK FROM 46.4.235.3 SENDS BEDEP

PCAP AND MALWARE:

ZIP FILE CONTENTS:

2015-06-15-Angler-EK-landing-page.txt (88,524 bytes)
twain_32.dll (250,784 bytes) - MD5 hash: f41f10b91f447d325ea1bc1b80e26ebd - SHA256: f540018e28a0a7ce4b8a8f391d4e84bf9951d650f7d277e724694baded13e5a1

ASSOCIATED DOMAINS:

46.4.235.3 port 80 - pyhnen.mistresseve.com - Angler EK
95.211.230.75 port 80 - ijyminllbfsuice46.com - Bedep post-infection traffic
162.244.33.102 port 80 - tebemqyscaglxtb.com - Bedep post-infection traffic
94.242.198.218 port 80 - will.merchantprospect.com - Bedep post-infection traffic
162.244.34.140 port 80 - mouyrate.com - Click-fraud traffic begins
95.211.202.33 port 80 - jerorefest.com - Click-fraud traffic begins
209.133.193.98 port 80 - neoplanset.com - Click-fraud traffic begins
46.45.137.77 port 80 - gregsomebore.com - Click-fraud traffic begins
162.244.34.39 port 80 - jertadopoeremo.com - Click-fraud traffic begins

ANGLER EK:

2015-06-15 14:29:21 UTC - pyhnen.mistresseve.com - GET /search?ayjz=ellhh&h6abl=ae&hbkyv=h&e2=z&wmh=9l5vs&gi=986&xfuwt=p0vei&alw=l&1vv=u&4c78q=l
2015-06-15 14:29:23 UTC - pyhnen.mistresseve.com - GET /playoner.asr?vbscrip=Y8uW&three=&cppbin=OgTq&six=&five=QR6yHfd-t3&four=n1Lrui1&
aspface=erO5938Fg5O11o4ol8Gr4By
2015-06-15 14:29:26 UTC - pyhnen.mistresseve.com - GET /nine.webarchive?six=&nine=eHi&jspage=&eight=2KSYcoBpSe&three=mmFin8h955&
aspface=&vbscrip=OfUKO9&ten=OJbvBD&pycharm=R2M&four=B0wF&two=a-qlxv

POST-INFECTION TRAFFIC (BEDEP):

2015-06-15 14:29:40 UTC - www.earthtools.org - GET /timezone-1.1/-28.37670/57.12234
2015-06-15 14:29:41 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?cf1132c904c52895cda76fa365265de4
2015-06-15 14:29:43 UTC - ijyminllbfsuice46.com - POST /blog.php
2015-06-15 14:29:44 UTC - tebemqyscaglxtb.com - POST /asset.php
2015-06-15 14:29:46 UTC - tebemqyscaglxtb.com - POST /include/database_error_message.html
2015-06-15 14:30:01 UTC - will.merchantprospect.com - POST /news.php
2015-06-15 14:30:09 UTC - tebemqyscaglxtb.com - POST /memberlist.php
2015-06-15 14:31:19 UTC - tebemqyscaglxtb.com - POST /index.php
2015-06-15 14:31:20 UTC - tebemqyscaglxtb.com - POST /include/class_blog_entry.php

CLICK-FRAUD TRAFFIC BEGINS:

2015-06-15 14:32:33 UTC - mouyrate.com - GET /ads.php?sid=1923
2015-06-15 14:32:33 UTC - jerorefest.com - GET /ads.php?sid=1923
2015-06-15 14:32:33 UTC - neoplanset.com - GET /ads.php?sid=1923
2015-06-15 14:32:34 UTC - gregsomebore.com - GET /ads.php?sid=1923
2015-06-15 14:32:34 UTC - jertadopoeremo.com - GET /ads.php?sid=1923
2015-06-15 14:32:49 UTC - jertadopoeremo.com - GET /ads.php?sid=1923
2015-06-15 14:32:50 UTC - mouyrate.com - GET /ads.php?sid=1923
2015-06-15 14:32:51 UTC - neoplanset.com - GET /j.php?s=1a4468a7b2a7027e87fb8029e73f7951
2015-06-15 14:32:52 UTC - jerorefest.com - GET /ads.php?sid=1923
2015-06-15 14:32:52 UTC - neoplanset.com - GET /ads.php?sid=1923

FILE FROM INFECTED HOST:

ASSOCIATED REGISTRY KEYS:

HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000\Sofware\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Once again, here are the associated files:

The ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.