Malware-Traffic-Analysis.net - 2015-07-17 - Angler EK from 69.162.90.107 sends Bedep

2015-07-16 - ANGLER EK FROM 69.162.90.107 SENDS BEDEP

PCAPS AND MALWARE:

NOTES:

Tried generating some Angler EK traffic to get one of the recent Flash exploits targeting 18.0.0.203 from the Hacking Team compromise.
My setup running IE 11 and Flash player 18.0.0.203 got infected with a Bedep payload, but it crashed before it could be fully infected.
At least, I got the Flash exploit, even if I couldn't decrypt the payload.
I had to infected a host running older versions of IE and Flash to get the full post-infection Bedep and click-fraud traffic.

ASSOCIATED DOMAINS:

178.33.200.140 port 80 - uta.dptalchascomus.com.ar - Redirect/gate pointing to Angler EK
69.162.90.107 port 80 - djordjevicandriush.rentbuysellhobbs.com - Angler EK
162.244.33.101 port 80 - jrxjnpqpvutvi5.com - Bedep-related post-infection traffic
95.211.202.33 port 80 - stromo3147.com - Click-fraud traffic starts
95.211.189.99 port 80 - euzcd5l6l516.com - Click-fraud traffic starts
31.148.220.95 port 80 - s9ysbwd161wd.com - Click-fraud traffic starts
162.244.34.39 port 80 - sct9uvhxwug.com - Click-fraud traffic starts

TRAFFIC (FIRST RUN WITH IE 11 AND FLASH 18.0.0.203):

2015-07-17 15:23:45 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /eels/viewtopic.php?f=751&q=&t=1998567

2015-07-17 15:23:50 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /feel.wdgt?minute=zfpI&picture=egX&girl=cZoHA7P&street=mV0jE15q&
after=SWbKfj&front=vRBc41B&live=fVGj0n4piS3z-

2015-07-17 15:23:54 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /form.asax?individual=&six=NWTj&effect=&love=0M4&second=&chance=Pld&
relation=uYM&among=VSP49l8t9&lie=nlAYL&before=UDb9ah&something=qRN9K0Wycb&plant=b03xZ

TRAFFIC (SECOND RUN WITH IE 8):

2015-07-17 15:32:02 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /colas/viewforum.php?f=0986&sid=165446

2015-07-17 15:32:06 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /small.vrml?important=WQP&shall=&next=btrgzBgA&personal=&three=0jrzL&
together=xFvi_8DwOP&cause=gcesQq-8&marriage=-cNhH&food=4ja4XwawC

2015-07-17 15:32:09 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /including.wgp?hard=Qeih&available=lcLCC&out=&state=klQQqfgjad&under=&
course=8qFmWyI&system=8m64U&on=HB8mbAk&evidence=bYjPhmri0b

2015-07-17 15:32:19 UTC - djordjevicandriush.rentbuysellhobbs.com - GET /colas/instance.a4p?respect=u4zm&anyone=fbl5J2TeYK&serve=&
evidence=VIWV--QCOD&most=&hair=ueEQiu&feel=&bill=KpA7&generally=xpLBKR9RoPEDzG

2015-07-17 15:32:19 UTC - www.earthtools.org - GET /timezone-1.1/74.31528/49.92506
2015-07-17 15:32:20 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?e9a76738a9a8337b0e0ff2ecafb064cf
2015-07-17 15:32:25 UTC - jrxjnpqpvutvi5.com - POST /forum.php
2015-07-17 15:32:28 UTC - jrxjnpqpvutvi5.com - POST /include/class_ajax_output.php
2015-07-17 15:32:51 UTC - jrxjnpqpvutvi5.com - POST /register.php
2015-07-17 15:34:12 UTC - jrxjnpqpvutvi5.com - POST /index.php
2015-07-17 15:34:15 UTC - jrxjnpqpvutvi5.com - POST /album.php
2015-07-17 15:35:09 UTC - stromo3147.com - GET /ads.php?sid=1917
2015-07-17 15:35:10 UTC - euzcd5l6l516.com - GET /ads.php?sid=1917
2015-07-17 15:35:10 UTC - s9ysbwd161wd.com - GET /ads.php?sid=1917
2015-07-17 15:35:10 UTC - sct9uvhxwug.com - GET /ads.php?sid=1917
2015-07-17 15:35:18 UTC - stromo3147.com - GET /ads.php?sid=1917
2015-07-17 15:35:20 UTC - s9ysbwd161wd.com - GET /ads.php?sid=1917
2015-07-17 15:35:23 UTC - sct9uvhxwug.com - GET /ads.php?sid=1917

Once again, here are the associated files:

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.