2015-07-07 - ANGLER EK TRAFFIC - 2 EXAMPLES

PCAPS:

• ZIP archive of both pcaps:  2015-07-07-Angler-EK-both-pcaps.zip

NOTES:

• No malware samples for this blog entry (just the pcap files).
• Bitcoin address for the CryptoWall 3.0 traffic was: 15VLNcbohAKUqNQL9fM7kLdmNkZJnaR7EH

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 148.251.133.230 port 80 - tjonetsotilasjohdossa.towerrecords.ca - Angler EK
• 95.211.230.75 port 80 - jkryuljtpxkpbpsn.com - Bedep-related post-infection traffic
• 162.244.33.104 port 80 - pygsrnpckgqh2q.com - Bedep-related post-infection traffic
• 213.133.98.11 port 80 - over.brightlightfireworks.com - Bedep-related post-infection traffic
• 162.244.34.140 port 80 - v0v3gd51.com - Click-fraud traffic begins
• 95.211.202.33 port 80 - t3kkyhb6wi.com - Click-fraud traffic begins
• 162.244.34.39 port 80 - ndpxyhnh59b.com - Click-fraud traffic begins
• 31.148.220.95 port 80 - fvvj24s57af4.com - Click-fraud traffic begins
• 46.45.137.77 port 80 - y643sj32dk.com - Click-fraud traffic begins

• 216.144.244.148 port 80 - unadvertiseschaedliches.resistancebands101.com - Angler EK
• 37.61.233.106 port 80 - twirlygirlphotography.com - CryptoWall 3.0 callback traffic
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.paytostopigil.com - Accessing page for decrypt instructions
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.paytodoublemoney.com - Accessing page for decrpyt instructions

 

ANGLER EK - 2015-07-06 at 22:03 UTC:

• 2015-07-06 22:03:43 UTC - tjonetsotilasjohdossa.towerrecords.ca - GET /peruses.php?q=kx5e941Mm&pq=Q&wm=eqQoP&o=IhW9imXIolIf-SnyMkhW9-&
  t=NxXOCgm-iXCLwpS9NdbNfCe5-6e&si=HWblIIoB-1Bz&b=U_AVeye4jEcY&up=KnM3VDwLHe&kh=T&fp=-

• 2015-07-06 22:03:45 UTC - jonetsotilasjohdossa.towerrecords.ca - GET /either.xpd?meaning=jKmy&talk=dw5UpOE&however=YFqrZ&season=&raise=Olo9_&
  complete=pV9BjFY_OZ&short=Q48&citizen=fBJ4nyPx&deal=tsHPSD

• 2015-07-06 22:03:56 UTC - tjonetsotilasjohdossa.towerrecords.ca - GET /size.ucf?present=&fight=tEXNeS&statement=6v3ALy4&
  allow=WhBvqIWuwxIYhvjGjt4jrpV0XceqUpyzQoH

POST-INFECTION BEDEP & CLICK-FRAUD TRAFFIC:

• 2015-07-06 22:04:00 UTC - www.earthtools.org - GET /timezone-1.1/48.00736/-25.59680
• 2015-07-06 22:04:01 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?8d5c42c1a764c9fee69994c8811b01fe
• 2015-07-06 22:04:02 UTC - jkryuljtpxkpbpsn.com - POST /index.php
• 2015-07-06 22:04:03 UTC - pygsrnpckgqh2q.com - POST /content.php
• 2015-07-06 22:04:10 UTC - pygsrnpckgqh2q.com - POST /newthread.php
• 2015-07-06 22:04:20 UTC - over.brightlightfireworks.com - POST /news.php
• 2015-07-06 22:04:28 UTC - pygsrnpckgqh2q.com - POST /css.php
• 2015-07-06 22:05:52 UTC - pygsrnpckgqh2q.com - POST /album.php
• 2015-07-06 22:05:55 UTC - pygsrnpckgqh2q.com - POST /list.php
• 2015-07-06 22:07:14 UTC - v0v3gd51.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:14 UTC - t3kkyhb6wi.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:14 UTC - ndpxyhnh59b.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:14 UTC - fvvj24s57af4.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:14 UTC - y643sj32dk.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:24 UTC - ndpxyhnh59b.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:30 UTC - y643sj32dk.com - GET /ads.php?sid=1923
• 2015-07-06 22:07:31 UTC - v0v3gd51.com - GET /ads.php?sid=1923

 

ANGLER EK - 2015-07-07 at 17:37 UTC:

• 2015-07-07 17:37:00 UTC - unadvertiseschaedliches.resistancebands101.com - GET /reinvent.php?ma=botnozcSdSm634KOew1m6st&v=EZeS&
  cv=-zM5GaAu6ixGa_m96xRPIXpzeICYey&wj=KRI6lXp3t8&cd=ThU0ViUiSu6550WwmYj&m=l&o=zEJz&ez=9&in=BL9&qg=_WvT-

• 2015-07-07 17:37:02 UTC - unadvertiseschaedliches.resistancebands101.com - GET /very.wgp?fall=KvS3I8e-&level=A_U2Byy&modern=UrvkXAr&
  do=w0w7YJtW&food=fRszsCdtJq&realize=jLk&effect=SPfp_

• 2015-07-07 17:37:03 UTC - unadvertiseschaedliches.resistancebands101.com - GET /little.der?level=yB7_&basis=aT3fZ&per=&before=BCuRWe5&
  within=U3TJpQllg&other=vWU_a&member=U4NWadt&than=UjPKtbWi091

• 2015-07-07 17:37:11 UTC - unadvertiseschaedliches.resistancebands101.com - GET /space.htc?enemy=DfwRRFS&influence=&give=zp94utB&
  play=xagi_&care=iTEwljPUw&wide=Qj0D&park=cpSHCTzIUB&development=IQVh&what=wQ

 

POST-INFECTION CRYPTOWALL 3.0 & VIEWING THE DECRYPTION INSTRUCTIONS PAGE:

• 2015-07-07 17:36:58 UTC - dworekjulia.pl - GET /
• 2015-07-07 17:37:14 UTC - ip-addr.es - GET /
• 2015-07-07 17:37:15 UTC - twirlygirlphotography.com - POST /wp-includes/ee.php?m=jyq4jl2729
• 2015-07-07 17:37:17 UTC - twirlygirlphotography.com - POST /wp-includes/ee.php?r=d725dwv900qckt
• 2015-07-07 17:37:20 UTC - twirlygirlphotography.com - POST /wp-includes/ee.php?d=282fj3s9crkk
• 2015-07-07 17:37:30 UTC - twirlygirlphotography.com - POST /wp-includes/ee.php?g=mxq18cy3efzp3
• 2015-07-07 17:38:23 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /Uispii
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/style.css
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/flags/us.png
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/flags/it.png
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/flags/fr.png
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/flags/es.png
• 2015-07-07 17:38:25 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/flags/de.png
• 2015-07-07 17:38:26 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /picture.php?k=uispii&67e21a9ef432a70998120b8d620904e7
• 2015-07-07 17:38:26 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/lt.png
• 2015-07-07 17:38:26 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/rt.png
• 2015-07-07 17:38:27 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/lb.png
• 2015-07-07 17:38:27 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/rb.png
• 2015-07-07 17:38:30 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /favicon.ico
• 2015-07-07 17:38:31 UTC - 6i3cb6owitcouepv.paytostopigil.com - POST /Uispii
• 2015-07-07 17:38:33 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/bitcoin.png
• 2015-07-07 17:38:33 UTC - 6i3cb6owitcouepv.paytostopigil.com - GET /img/button_pay.png
• 2015-07-07 17:40:40 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /Uispii
• 2015-07-07 17:40:42 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/style.css
• 2015-07-07 17:40:42 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/flags/us.png
• 2015-07-07 17:40:43 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/flags/it.png
• 2015-07-07 17:40:43 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/flags/fr.png
• 2015-07-07 17:40:43 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/flags/es.png
• 2015-07-07 17:40:43 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/flags/de.png
• 2015-07-07 17:40:43 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /picture.php?k=uispii&9b780473ea2046063e3c908d9096cc48
• 2015-07-07 17:40:44 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/lt.png
• 2015-07-07 17:40:44 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/rt.png
• 2015-07-07 17:40:44 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/lb.png
• 2015-07-07 17:40:44 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/rb.png
• 2015-07-07 17:40:46 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /favicon.ico
• 2015-07-07 17:40:50 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - POST /Uispii
• 2015-07-07 17:40:52 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/bitcoin.png
• 2015-07-07 17:40:52 UTC - 6i3cb6owitcouepv.paytodoublemoney.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of both pcaps:  2015-07-07-Angler-EK-both-pcaps.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.