2015-07-09 - ANGLER EK - 2 EXAMPLES (CRYPTOWALL 3.0 AND BEDEP)

PCAP AND MALWARE:

• ZIP of the traffic:  2015-07-09-Angler-EK-both-pcaps.zip
• PCAP of the traffic - second example:  2015-07-09-Angler-EK-sends-Bedep.pcap
• ZIP of the malware (both examples):  2015-07-09-Angler-EK-malware.zip

 

NOTES:

• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same as yesterday).

 

CHAIN OF EVENTS - FIRST EXAMPLE

ASSOCIATED DOMAINS:

• 88.198.54.212 port 80 - cansinaceremonieel.firstchoicehealthcaresolutions.com - Angler EK
• 50.62.69.1 port 80 - avalonmakeupartists.com - CryptoWall 3.0 checkin

 

ANGLER EK:

• 2015-07-09 12:48:30 UTC - cansinaceremonieel.firstchoicehealthcaresolutions.com - GET /viewtopic.php?f=29&t=13623654

• 2015-07-09 12:48:33 UTC - cansinaceremonieel.firstchoicehealthcaresolutions.com - GET /draw.phtml?English=&never=by4gHhH&company=Z8poT&Christian=&
  French=3WIgOhd&society=&gas=dPHfd5AWD&enough=mrbXORE6CJtuiJ8m0oIn

• 2015-07-09 12:48:36 UTC - cansinaceremonieel.firstchoicehealthcaresolutions.com - GET /hit.sites2?common=&throw=Ji_0ev5&affair=OMz&season=RqigbGL&
  difference=r3AyErhI&who=ER-4zze6Q&dead=cTMVCOb&process=eSI1zxL

• 2015-07-09 12:48:38 UTC - cansinaceremonieel.firstchoicehealthcaresolutions.com - GET /marriage.rjs?as=&what=sxDqfnp&relate=06PrSf-&attention=sPIwlhSH&
  why=6uMp&day=zLFl&food=eUXKKf9xA&difficulty=3_Ye&up=9MkA8

 

CRYPTOWALL 3.0 POST-INFECTION TRAFFIC:

• 2015-07-09 12:48:42 UTC - ip-addr.es - GET /
• 2015-07-09 12:48:43 UTC - avalonmakeupartists.com - POST /wp-content/plugins/bb.php?y=n8tjfocklrbfg
• 2015-07-09 12:48:47 UTC - avalonmakeupartists.com - POST /wp-content/plugins/bb.php?w=97dhgdtdgq
• 2015-07-09 12:48:50 UTC - avalonmakeupartists.com - POST /wp-content/plugins/bb.php?q=mqqjmgijbhd3jjl
• 2015-07-09 12:49:30 UTC - avalonmakeupartists.com - POST /wp-content/plugins/bb.php?f=7fgxr1808k4z

 

CHAIN OF EVENTS - SECOND EXAMPLE

ASSOCIATED DOMAINS:

• 178.33.200.140 port 80 - out.ipsyc.com.ar - Malicious javascript pointing to Angler EK
• 176.9.245.139 port 80 - ronbun.5540owensmouth213.com - Angler EK
• 95.211.230.75 port 80 - ainppnucugojxibw.com - Bedep-related post-infection traffic
• 162.244.33.104 port 80 - vzzekdzpvwoosbv0d.com - Bedep-related post-infection traffic
• 95.211.202.33 port 80 - t3kkyhb6wi.com - Click-fraud traffic domain
• 31.148.220.95 port 80 - fvvj24s57af4.com - Click-fraud traffic domain
• 162.244.34.39 port 80 - ndpxyhnh59b.com - Click-fraud traffic domain
• 95.211.189.99 port 80 - wv5mcgy37hv4.com - Click-fraud traffic domain
• 46.45.137.77 port 80 - y643sj32dk.com - Click-fraud traffic domain

 

GATE TO ANGLER EK:

• 2015-07-09 13:46:44 UTC - out.ipsyc.com.ar - GET /js/script.js

 

ANGLER EK:

• 2015-07-09 13:46:50 UTC - ronbun.5540owensmouth213.com - GET /viewtopic.php?f=78&t=12128321

• 2015-07-09 13:46:52 UTC - ronbun.5540owensmouth213.com - GET /amount.olp?study=OE5KXkr&marry=&strength=UhVy96a6&
  know=Jx9b2qMnLyR8mTcEo1nQS-42Okru8XOvV

• 2015-07-09 13:46:59 UTC - ronbun.5540owensmouth213.com - GET /yes.wgp?final=V4ylhdAm11&son=z1EBF&many=q2R1Y1&figure=KTT3KQt8Z&
  dead=-xe1IxFy6&length=4pXEiTA_&different=7

• 2015-07-09 13:47:01 UTC - ronbun.5540owensmouth213.com - GET /far.cshtml?family=H1R&corner=bj-&cause=&there=eMU7FI&state=&cost=yPo_ae&
  action=D-KaTaEgxa&England=&study=-cp3d0rwmc&close=745SEvWjeh

 

BEDEP-RELATED POST-INFECTION TRAFFIC:

• 2015-07-09 13:47:06 UTC - www.earthtools.org - GET /timezone-1.1/-24.62078/15.58492
• 2015-07-09 13:47:06 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?44241dc789e08a918a4415d2a1250d5f
• 2015-07-09 13:47:08 UTC - ainppnucugojxibw.com - POST /album.php
• 2015-07-09 13:47:08 UTC - vzzekdzpvwoosbv0d.com - POST /misc.php
• 2015-07-09 13:47:11 UTC - vzzekdzpvwoosbv0d.com - POST /forumdisplay.php
• 2015-07-09 13:47:34 UTC - vzzekdzpvwoosbv0d.com - POST /content.php
• 2015-07-09 13:48:56 UTC - vzzekdzpvwoosbv0d.com - POST /index.php
• 2015-07-09 13:48:58 UTC - vzzekdzpvwoosbv0d.com - POST /newthread.php
• 2015-07-09 13:50:06 UTC - t3kkyhb6wi.com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - fvvj24s57af4.com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - ndpxyhnh59b.com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - wv5mcgy37hv4.com - GET /ads.php?sid=1917
• 2015-07-09 13:50:06 UTC - y643sj32dk.com - GET /ads.php?sid=1917

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-07-09-Angler-EK-both-pcaps.zip
• ZIP of the malware (both examples):  2015-07-09-Angler-EK-malware.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.