Malware-Traffic-Analysis.net - 2015-09-15 - Angler EK from 185.49.68[.]129 sends Bedep

2015-09-15 - ANGLER EK FROM 185.49.68[.]129 SENDS BEDEP

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

NOTES:

As usual, I don't have the Angler EK payload for this Bedep/Click-fraud infection; however, I did grab some malware remaining on the infected host:

C:/ProgramData/{9A88E103-A20A-4EA5-8636-C73B709A5BF8}/winbio.dll

ASSOCIATED DOMAINS:

www.annaharrison[.]com - Compromised website
178.32.95[.]158 port 80 - use.deancor[.]com[.]ar - Redirect (gtae)
185.49.68[.]129 port 80 - reichspaprivatisaient.reducedproducts[.]com - Angler EK
www.ecb.europa[.]eu - Post-infection connectivity check by the malware
83.149.127[.]9 port 80 - xieqbzjdpuaq[.]com - Bedep callback
37.48.110[.]162 port 80 - nlx3n4goj92[.]com - Ad fraud (click-fraud) traffic
95.211.156[.]140 port 80 - hc105acizl5[.]com - Ad fraud (click-fraud) traffic
95.211.189[.]119 port 80 - heii7gpjbu[.]com - Ad fraud (click-fraud) traffic
95.211.189[.]118 port 80 - prtakz9kyxiq[.]com - Ad fraud (click-fraud) traffic

COMPROMISED WEBSITE AND REDIRECT:

ANGLER EK:

2015-09-15 18:16:02 UTC - reichspaprivatisaient.reducedproducts[.]com - GET /civis/viewforum.php?f=1419c&sid=qu103j0i8.11382

2015-09-15 18:16:05 UTC - reichspaprivatisaient.reducedproducts[.]com - GET /small.zhtml?whole=SvZLQ¢ury=&quality=PCIUf&
artist=PV6xIiw&military=3D_¬hing=M7b9YgDoPW&county=DO4eMYnMxxZvi8mvl2

2015-09-15 18:16:06 UTC - reichspaprivatisaient.reducedproducts[.]com - POST /civis/husband.mhtml?interest=6eg&leg=dtm0j7m&
woman=Qy5&might=&river=wSCp-6q&issue=&bar=xjD7T9g&study=ElaJJx5¢ury=&street=Cwtq7q0Vgc_Pxq

2015-09-15 18:16:06 UTC - reichspaprivatisaient.reducedproducts[.]com - GET /small.zhtml?whole=SvZLQ¢ury=&quality=PCIUf&
artist=PV6xIiw&military=3D_¬hing=M7b9YgDoPW&county=DO4eMYnMxxZvi8mvl2

2015-09-15 18:16:09 UTC - reichspaprivatisaient.reducedproducts[.]com - GET /permit.woa?gun=&local=ANSoRfS0y&send=&war=QErqaftC&
farm=&Christian=arJ&around=&south=eGH&build=25Q3&importance=&wife=4sfM1xX&ten=WKPY4YaivE-lce

2015-09-15 18:16:18 UTC - reichspaprivatisaient.reducedproducts[.]com - GET /price.hdml?labor=HMmwQU&single=&herself=qC55IduDT&
necessary=69CFb&demand=&own=-49rXxtNEE&direct=ZEc&increase=-afW_tQjLI&fiscal=dxHh&earth=M

POST-INFECTION TRAFFIC :

2015-09-15 18:16:16 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?8be6592a83700245effe945106a9a1e0
2015-09-15 18:16:18 UTC - xieqbzjdpuaq[.]com - POST /blog.php
2015-09-15 18:16:20 UTC - xieqbzjdpuaq[.]com - POST /newthread.php
2015-09-15 18:16:43 UTC - xieqbzjdpuaq[.]com - POST /newreply.php
2015-09-15 18:18:10 UTC - xieqbzjdpuaq[.]com - POST /blog.php
2015-09-15 18:18:10 UTC - xieqbzjdpuaq[.]com - POST /poll.php
2015-09-15 18:18:10 UTC - xieqbzjdpuaq[.]com - POST /blog.php
2015-09-15 18:18:11 UTC - xieqbzjdpuaq[.]com - POST /include/class_ajax_output.php
2015-09-15 18:18:12 UTC - xieqbzjdpuaq[.]com - POST /converse.php
2015-09-15 18:19:11 UTC - nlx3n4goj92[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:11 UTC - hc105acizl5[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:11 UTC - heii7gpjbu[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:11 UTC - prtakz9kyxiq[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:23 UTC - hc105acizl5[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:24 UTC - nlx3n4goj92[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:24 UTC - prtakz9kyxiq[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:27 UTC - heii7gpjbu[.]com - GET /ads.php?sid=1917
2015-09-15 18:19:28 UTC - heii7gpjbu[.]com - GET /r.php?s=cc70051c5d98173132aa30f1e3043ab0
2015-09-15 18:19:28 UTC - prtakz9kyxiq[.]com - GET /r.php?s=8d9dac889bd4624098193013f7394d17

Click here to return to the main page.