2015-07-14 - ANGLER EK - TWO EXAMPLES - BEDEP & CRYPTOWALL 3.0

PCAP AND MALWARE:

• Zip archive of the pcap(s):  2015-07-14-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-14-Angler-EK-malware-and-artifacts.zip

 

NOTES:

• Didn't get Angler EK's payload for the Bedep infection, just post-infection malware noted at:  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\certmgr.dll
• Bitcoin address for the CryptoWall 3.0 sample was: 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU (same one I've documented since 2015-07-09).

• Special thanks to @teoseller for letting me know about the compromised web sites!

 

TRAFFIC - EXAMPLE 1 OF 2 (BEDEP)

ASSOCIATED DOMAINS:

• www.elianamonti.it - Compromised website
• 178.33.200.140 port 80 - uta.dptalchascomus.com.ar - Redirect
• 185.48.58.52 port 80 - kudasignonperpe.gozimbee.us - Angler EK
• 95.211.230.75 port 80 - ainppnucugojxibw.com - Bedep-related post-infection traffic
• 162.244.33.101 port 80 - fllbztxgacot.com - Bedep-related post-infection traffic
• 95.211.202.33 port 80 - stromo3147.com - Click-fraud traffic begins
• 31.148.220.95 port 80 - s9ysbwd161wd.com - Click-fraud traffic begins
• 95.211.189.99 port 80 - euzcd5l6l516.com - Click-fraud traffic begins
• 162.244.34.39 port 80 - sct9uvhxwug.com - Click-fraud traffic begins

 

TRAFFIC:

• 2015-07-14 17:58:45 UTC - www.elianamonti.it - GET /
• 2015-07-14 17:58:46 UTC - uta.dptalchascomus.com.ar - GET /widget.js

• 2015-07-14 17:58:50 UTC - kudasignonperpe.gozimbee.us - GET /monogram/viewtopic.php?f=60868983&t=89

• 2015-07-14 17:58:52 UTC - kudasignonperpe.gozimbee.us - GET /meet.hyperesources?forget=&might=D4pot_3ubT&add=&small=3Es&name=8YFweMi8&little=WDyAy&
  figure=JS8CR&public=u3nY&deal=zydoHzUe&back=HycQM

• 2015-07-14 17:58:52 UTC - kudasignonperpe.gozimbee.us - GET /monogram/force.asax?economic=iOf&officer=kjP4Hm35HD&though=&far=V_Sdj&test=&
  permit=vX8AkYzXF&street=bn-nrI3ya&amount=8GIb-gqeX&dog=vCX

• 2015-07-14 17:58:59 UTC - kudasignonperpe.gozimbee.us - GET /smile.sht?care=vYe5HD&development=&recently=nymu4CW&list=&west=ZQfV6&a=DfNiJHuI9d&
  as=BUd_Y&cut=rA7sfkPQ2&back=&mark=ewIX5-

• 2015-07-14 17:59:07 UTC - www.earthtools.org - GET /timezone-1.1/76.57466/-61.23022
• 2015-07-14 17:59:08 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?a146f2dd29f49a92697d559e25e9095c
• 2015-07-14 17:59:15 UTC - ainppnucugojxibw.com - POST /blog.php
• 2015-07-14 17:59:18 UTC - fllbztxgacot.com - POST /include/functions_file.php
• 2015-07-14 17:59:20 UTC - fllbztxgacot.com - POST /list.php
• 2015-07-14 17:59:43 UTC - fllbztxgacot.com - POST /include/functions_databuild.php
• 2015-07-14 18:01:01 UTC - fllbztxgacot.com - POST /forum.php
• 2015-07-14 18:01:06 UTC - fllbztxgacot.com - POST /include/class_database_explain.php
• 2015-07-14 18:02:02 UTC - stromo3147.com - GET /ads.php?sid=1917
• 2015-07-14 18:02:02 UTC - s9ysbwd161wd.com - GET /ads.php?sid=1917
• 2015-07-14 18:02:02 UTC - euzcd5l6l516.com - GET /ads.php?sid=1917
• 2015-07-14 18:02:03 UTC - sct9uvhxwug.com - GET /ads.php?sid=1917

 

TRAFFIC - EXAMPLE 2 OF 2 (CRYPTOWALL 3.0)

ASSOCIATED DOMAINS:

• www.laclinique.it - Compromised website
• 94.131.14.34 port 80 - 0stall.zimbee.co - Angler EK
• 212.59.247.56 port 80 - masanta.pl - CryptoWall 3.0 post-infection traffic
• 212.59.244.5 port 80 - monki.info.pl - CryptoWall 3.0 post-infection traffic
• 89.40.32.180 port 80 - leooptic.ro - CryptoWall 3.0 post-infection traffic
• 64.90.49.124 port 80 - michaelserwa.com - CryptoWall 3.0 post-infection traffic
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.mywa2pay.com - Viewing the decrypt instructions
• 95.163.121.228 port 80 - 6i3cb6owitcouepv.micropaysearch.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.light2mind.com - Domain for decrypt instructions that didn't resolve
• 6i3cb6owitcouepv.rightslavebb.com - Domain for decrypt instructions that didn't resolve

 

TRAFFIC:

• 2015-07-14 18:31:04 UTC - www.laclinique.it - GET /

• 2015-07-14 18:31:09 UTC - 0stall.zimbee.co - GET /drawbacks/viewtopic.php?f=1473&t=860380

• 2015-07-14 18:31:12 UTC - 0stall.zimbee.co - GET /soon.ppthtml?accept=&half=DATsCI&mother=0FW5jN&dog=a6WZ8T7pV&possible=oUBri&might=p74a&
  effective=-5F&facility=uI-yke-km&discussion=rFmlvy

• 2015-07-14 18:31:17 UTC - 0stall.zimbee.co - GET /girl.rhtml?hour=jGlhojat&five=RjReo&director=0MDPMfHuem&almost=&stand=uT3QdWuQh&wish=J677PpV&
  on=&problem=bVePQf&department=D5w

• 2015-07-14 18:31:19 UTC - 0stall.zimbee.co - GET /drawbacks/form.btapp?if=1TF&break=&sort=hcLgK8Z&than=2TCa2osEMu&especially=
  n2aB9T9Xg0LegkLe4298VxN-V1S6

• 2015-07-14 18:31:21 UTC - ip-addr.es - GET /
• 2015-07-14 18:31:22 UTC - masanta.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?e=nh0fdx3foek97y
• 2015-07-14 18:31:28 UTC - monki.info.pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?v=nh0fdx3foek97y
• 2015-07-14 18:31:31 UTC - leooptic.ro - POST /wp-content/themes/twentytwelve/c.php?j=nh0fdx3foek97y
• 2015-07-14 18:31:31 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?f=nh0fdx3foek97y
• 2015-07-14 18:31:35 UTC - masanta.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?b=t3wfcqwien
• 2015-07-14 18:31:36 UTC - monki.info.pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?l=t3wfcqwien
• 2015-07-14 18:31:37 UTC - leooptic.ro - POST /wp-content/themes/twentytwelve/c.php?g=t3wfcqwien
• 2015-07-14 18:31:39 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?w=t3wfcqwien
• 2015-07-14 18:31:42 UTC - masanta.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?o=qfr24a84kkz99k
• 2015-07-14 18:31:43 UTC - monki.info.pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?b=qfr24a84kkz99k
• 2015-07-14 18:31:44 UTC - leooptic.ro - POST /wp-content/themes/twentytwelve/c.php?w=qfr24a84kkz99k
• 2015-07-14 18:32:15 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?d=qfr24a84kkz99k
• 2015-07-14 18:32:39 UTC - masanta.pl - POST /wp-content/plugins/newsletter/tiny_mce/themes/advanced/skins/default/img/d.php?q=6n4zd2y91jztm
• 2015-07-14 18:32:40 UTC - monki.info.pl - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/e.php?o=6n4zd2y91jztm
• 2015-07-14 18:32:41 UTC - leooptic.ro - POST /wp-content/themes/twentytwelve/c.php?t=6n4zd2y91jztm
• 2015-07-14 18:32:43 UTC - michaelserwa.com - POST /wp-content/plugins/wp-db-backup-made/a.php?y=6n4zd2y91jztm
• 2015-07-14 18:33:15 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /-------
• 2015-07-14 18:33:17 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/style.css
• 2015-07-14 18:33:18 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/us.png
• 2015-07-14 18:33:18 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/it.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/de.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/es.png
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /picture.php?k=1nswsiv&996472cec89f2f744419f4f2e8f2a029
• 2015-07-14 18:33:19 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lt.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/flags/fr.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rt.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/lb.png
• 2015-07-14 18:33:20 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/rb.png
• 2015-07-14 18:33:22 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /favicon.ico
• 2015-07-14 18:33:26 UTC - 6i3cb6owitcouepv.mywa2pay.com - POST /-------
• 2015-07-14 18:33:31 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/bitcoin.png
• 2015-07-14 18:33:31 UTC - 6i3cb6owitcouepv.mywa2pay.com - GET /img/button_pay.png
• 2015-07-14 18:33:56 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /-------
• 2015-07-14 18:33:57 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/style.css
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/us.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /picture.php?k=1nswsiv&26c42444c398191f40dd9036dde07e2a
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/it.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/es.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/de.png
• 2015-07-14 18:33:59 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lt.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/flags/fr.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rt.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/lb.png
• 2015-07-14 18:34:01 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/rb.png
• 2015-07-14 18:34:03 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /favicon.ico
• 2015-07-14 18:34:06 UTC - 6i3cb6owitcouepv.micropaysearch.com - POST /-------
• 2015-07-14 18:34:08 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/bitcoin.png
• 2015-07-14 18:34:08 UTC - 6i3cb6owitcouepv.micropaysearch.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap(s):  2015-07-14-Angler-EK-pcaps.zip
• ZIP of the malware:  2015-07-14-Angler-EK-malware-and-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.