2015-11-25 - GATE LED TO ANGLER EK - SAME GATE LED TO NEUTRINO EK

ASSOCIATED FILES:

• ZIP archive of the PCAPs:  2015-11-25-traffic.zip   2.1 MB (2,124,228 bytes)
• ZIP archive of the malware:  2015-11-25-malware-and-artifacts.zip   375.6 kB (375,584 bytes)

 

NOTES:

• I found a compromised website that led to Angler EK.  About 20 minutes later, the same website led to Neutrino EK.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 193.37.145.127 port 80 - avant-age.fr - Compromised website
• 185.80.53.18 port 80 - link.guiaste.com.br - Gate

• 158.69.153.136 port 80 - winnow0.truthmeister.com - Angler EK
• 23.46.216.11 port 80 - www.ecb.europa.eu - Connectivity check by the malware
• 95.211.205.229 port 80 - ncqauqvqqhhzpc.com - Bedep-related post-infection traffic
• 208.100.26.234 port 80 - yxcaoakqeovexx.com - Bedep-related post-infection traffic
• 54.186.220.79 port 80 - igpetlkpol9m.com - Bedep-related post-infection traffic
• 195.22.28.196 port 80 - agxtodofrldxwqnek.com - Bedep-related post-infection traffic
• 195.22.28.222 port 80 - sso.anbtr.com - Bedep-related post-infection traffic
• 195.22.28.197 port 80 - xsso.agxtodofrldxwqnek.com - Bedep-related post-infection traffic
• 166.78.145.90 port 80 - rnhbhnlmpvvdt.com - Bedep-related post-infection traffic
• 95.211.205.229 port 80 - ncqauqvqqhhzpc.com - Bedep-related post-infection traffic

• 89.38.149.123 port 80 - zmwcvhzpbb.goppre.eu - Neutrino EK
• 195.22.28.194 port 80 - 195.22.28.194 - Post-infection traffic for Neutrino EK
• 195.22.28.222 port 80 - sso.anbtr.com - Post-infection traffic for Neutrino EK
• 109.234.35.95 port 80 - 109.234.35.95 - Post-infection traffic for Neutrino EK
• 91.229.79.119 port 80 - 91.229.79.119 - Post-infection traffic for Neutrino EK

• NOTE: There were plenty of other domain names in the DNS traffic, and there were also other IP addresses using both UDP and TCP that can be found in the pcaps.

 

TRAFFIC FROM THE FIRST INFECTION (ANGLER EK):

• 2015-11-25 15:30:23 UTC - avant-age.fr - GET /
• 2015-11-25 15:30:25 UTC - link.guiaste.com.br - GET /view.js

• 2015-11-25 15:30:25 UTC - winnow0.truthmeister.com - GET /boards/viewforum.php?f=22281&sid=84.120x82xo9zix519r711

• 2015-11-25 15:30:30 UTC - winnow0.truthmeister.com - GET /amount.btapp?thing=&college=Q0qqQkI1&charge=K3-ta&purpose=&park=2Eub&county=lpqWqR0&
  strength=&must=K7f9AQfld&meeting=mILFo-FhICYcyvx

• 2015-11-25 15:30:30 UTC - winnow0.truthmeister.com - POST /boards/fire.page?problem=s9cQvik&growth=B751&black=&toward=dMF&procedure=SGkaL&
  patient=u1KH&under=&too=blG&law=kWtZXjH&strong=PzW&indeed=aVi5h-foUg&prevent=4K

• 2015-11-25 15:30:33 UTC - winnow0.truthmeister.com - GET /amount.btapp?thing=&college=Q0qqQkI1&charge=K3-ta&purpose=&park=2Eub&county=lpqWqR0&
  strength=&must=K7f9AQfld&meeting=mILFo-FhICYcyvx

• 2015-11-25 15:30:41 UTC - winnow0.truthmeister.com - GET /during.docmhtml?technique=&behind=ShKa&sit=ItrtXOlG&model=WGRZSxvn1N&later=y5lHYtv1pv&
  total=XQ-4&compare=gMb6zc-&set=YrdWA

• 2015-11-25 15:30:46 UTC - winnow0.truthmeister.com - GET /act.xfdl?gun=&another=IKr&watch=AMSt&person=DptFDxUd1&describe=eQzjbSlBgf&away=kWVpdA&
  fire=Aa2vW2&increase=8WllsiDgPa

• 2015-11-25 15:30:46 UTC - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?ccf4216889bee4eaeeef9cc58cdd3595
• 2015-11-25 15:30:48 UTC - ncqauqvqqhhzpc.com - POST /index.php
• 2015-11-25 15:30:49 UTC - yxcaoakqeovexx.com - POST /include/functions_banning.php
• 2015-11-25 15:30:50 UTC - igpetlkpol9m.com - POST /include/functions_filesystemxml.php
• 2015-11-25 15:30:53 UTC - agxtodofrldxwqnek.com - POST /infraction.php
• 2015-11-25 15:30:54 UTC - sso.anbtr.com - GET /domain/agxtodofrldxwqnek.com
• 2015-11-25 15:30:56 UTC - xsso.agxtodofrldxwqnek.com - GET /0c9162280debd38b2b6788dffe1b1e4c
• 2015-11-25 15:30:59 UTC - rnhbhnlmpvvdt.com - POST /attachment.php
• 2015-11-25 15:35:59 UTC - agxtodofrldxwqnek.com - POST /include/functions_digest.php
• 2015-11-25 15:36:00 UTC - ncqauqvqqhhzpc.com - POST /login.php
• 2015-11-25 15:36:09 UTC - igpetlkpol9m.com - POST /include/class_dm_event.php

 

TRAFFIC FROM THE SECOND INFECTION (NEUTRINO EK):

• 2015-11-25 15:50:02 UTC - avant-age.fr - GET /
• 2015-11-25 15:50:05 UTC - link.guiaste.com.br - GET /view.js
• 2015-11-25 15:50:07 UTC - zmwcvhzpbb.goppre.eu - GET /spider/cmRwZmRkdHk
• 2015-11-25 15:50:07 UTC - zmwcvhzpbb.goppre.eu - GET /quarter/1471771/bewilder-splash-variety-background-troll-entertain
• 2015-11-25 15:50:09 UTC - zmwcvhzpbb.goppre.eu - GET /1978/08/12/telephone/rush-surround-spread-issue-drag-saint.html
• 2015-11-25 15:50:13 UTC - zmwcvhzpbb.goppre.eu - GET /1982/05/15/behind/blink-silk-punish-twelve-power-matter-heal-coin.html
• 2015-11-25 15:50:13 UTC - zmwcvhzpbb.goppre.eu - GET /slop/1785734/myth-plain-narrow-more-serious-depth-cigar-human-admire
• 2015-11-25 15:50:18 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:50:19 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:50:35 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:50:36 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:50:42 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:50:43 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:50:49 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:50:49 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:51:07 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:51:08 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:51:20 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:51:21 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:51:37 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:51:38 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:52:32 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:52:33 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 15:55:23 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 15:55:24 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 16:06:02 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 16:06:03 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 16:07:36 UTC - 109.234.35.95 - POST /forum/db.php
• 2015-11-25 16:08:10 UTC - 91.229.79.119 - POST /forum/db.php
• 2015-11-25 16:08:11 UTC - 91.229.79.119 - POST /forum/db.php
• 2015-11-25 16:09:13 UTC - 195.22.28.194 - POST /forum/db.php
• 2015-11-25 16:09:14 UTC - sso.anbtr.com - GET /domain/195.22.28.194
• 2015-11-25 16:11:32 UTC - 109.234.35.95 - POST /forum/db.php
• 2015-11-25 16:32:09 UTC - 109.234.35.95 - POST /forum/db.php

 

IMAGES

Shown above: Traffic from the Angler EK pcap filtered in Wireshark.

 

Shown above: Gate leading from the comrpomised website to the Angler EK landing page.

 

Shown above: Traffic from the Neutrino EK pcap filtered in Wireshark.

 

Shown above: Gate leading from the comrpomised website to the Neutrino EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAPs:  2015-11-25-traffic.zip   2.1 MB (2,124,228 bytes)
• ZIP archive of the malware:  2015-11-25-malware-and-artifacts.zip   375.6 kB (375,584 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.