2015-09-15 - ANGLER EK FROM 185.49.68.129 SENDS BEDEP

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-09-15-Angler-EK-sends-bedep-traffic.pcap.zip
• ZIP file of the malware:   2015-09-15-Angler-EK-sends-bedep-artifacts.zip

 

NOTES:

• As usual, I don't have the Angler EK payload for this Bedep/Click-fraud infection; however, I did grab some malware remaining on the infected host:

C:/ProgramData/{9A88E103-A20A-4EA5-8636-C73B709A5BF8}/winbio.dll

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.annaharrison.com - Compromised website
• 178.32.95.158 port 80 - use.deancor.com.ar - Redirect (gtae)
• 185.49.68.129 port 80 - reichspaprivatisaient.reducedproducts.com - Angler EK
• www.ecb.europa.eu - Post-infection connectivity check by the malware
• 83.149.127.9 port 80 - xieqbzjdpuaq.com - Bedep callback
• 37.48.110.162 port 80 - nlx3n4goj92.com - Ad fraud (click-fraud) traffic
• 95.211.156.140 port 80 - hc105acizl5.com - Ad fraud (click-fraud) traffic
• 95.211.189.119 port 80 - heii7gpjbu.com - Ad fraud (click-fraud) traffic
• 95.211.189.118 port 80 - prtakz9kyxiq.com - Ad fraud (click-fraud) traffic

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-09-15 18:15:50 UTC - www.annaharrison.com - GET /
• 2015-09-15 18:15:52 UTC - use.deancor.com.ar - GET /view.js

 

ANGLER EK:

• 2015-09-15 18:16:02 UTC - reichspaprivatisaient.reducedproducts.com - GET /civis/viewforum.php?f=1419c&sid=qu103j0i8.11382

• 2015-09-15 18:16:05 UTC - reichspaprivatisaient.reducedproducts.com - GET /small.zhtml?whole=SvZLQ¢ury=&quality=PCIUf&
  artist=PV6xIiw&military=3D_¬hing=M7b9YgDoPW&county=DO4eMYnMxxZvi8mvl2

• 2015-09-15 18:16:06 UTC - reichspaprivatisaient.reducedproducts.com - POST /civis/husband.mhtml?interest=6eg&leg=dtm0j7m&
  woman=Qy5&might=&river=wSCp-6q&issue=&bar=xjD7T9g&study=ElaJJx5¢ury=&street=Cwtq7q0Vgc_Pxq

• 2015-09-15 18:16:06 UTC - reichspaprivatisaient.reducedproducts.com - GET /small.zhtml?whole=SvZLQ¢ury=&quality=PCIUf&
  artist=PV6xIiw&military=3D_¬hing=M7b9YgDoPW&county=DO4eMYnMxxZvi8mvl2

• 2015-09-15 18:16:09 UTC - reichspaprivatisaient.reducedproducts.com - GET /permit.woa?gun=&local=ANSoRfS0y&send=&war=QErqaftC&
  farm=&Christian=arJ&around=&south=eGH&build=25Q3&importance=&wife=4sfM1xX&ten=WKPY4YaivE-lce

• 2015-09-15 18:16:18 UTC - reichspaprivatisaient.reducedproducts.com - GET /price.hdml?labor=HMmwQU&single=&herself=qC55IduDT&
  necessary=69CFb&demand=&own=-49rXxtNEE&direct=ZEc&increase=-afW_tQjLI&fiscal=dxHh&earth=M

 

POST-INFECTION TRAFFIC :

• 2015-09-15 18:16:16 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?8be6592a83700245effe945106a9a1e0
• 2015-09-15 18:16:18 UTC - xieqbzjdpuaq.com - POST /blog.php
• 2015-09-15 18:16:20 UTC - xieqbzjdpuaq.com - POST /newthread.php
• 2015-09-15 18:16:43 UTC - xieqbzjdpuaq.com - POST /newreply.php
• 2015-09-15 18:18:10 UTC - xieqbzjdpuaq.com - POST /blog.php
• 2015-09-15 18:18:10 UTC - xieqbzjdpuaq.com - POST /poll.php
• 2015-09-15 18:18:10 UTC - xieqbzjdpuaq.com - POST /blog.php
• 2015-09-15 18:18:11 UTC - xieqbzjdpuaq.com - POST /include/class_ajax_output.php
• 2015-09-15 18:18:12 UTC - xieqbzjdpuaq.com - POST /converse.php
• 2015-09-15 18:19:11 UTC - nlx3n4goj92.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:11 UTC - hc105acizl5.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:11 UTC - heii7gpjbu.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:11 UTC - prtakz9kyxiq.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:23 UTC - hc105acizl5.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:24 UTC - nlx3n4goj92.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:24 UTC - prtakz9kyxiq.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:27 UTC - heii7gpjbu.com - GET /ads.php?sid=1917
• 2015-09-15 18:19:28 UTC - heii7gpjbu.com - GET /r.php?s=cc70051c5d98173132aa30f1e3043ab0
• 2015-09-15 18:19:28 UTC - prtakz9kyxiq.com - GET /r.php?s=8d9dac889bd4624098193013f7394d17

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-09-15-Angler-EK-sends-bedep-traffic.pcap.zip
• ZIP file of the malware:   2015-09-15-Angler-EK-sends-bedep-artifacts.zip

NOTE:  All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.