2015-11-25 - GATE LED TO ANGLER EK AND LATER LED TO NEUTRINO EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

• 2015-11-25-Angler-EK-and-Neutrino-EK-traffic.zip   2.1 MB (2,124,626 bytes)
• 2015-11-25-Angler-EK-and-Neutrino-EK-malware-and-artifacts.zip   376.4 kB (376,420 bytes)

 

NOTES:

• I found a compromised website that led to Angler EK.  About 20 minutes later, the same website led to Neutrino EK.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 193.37.145[.]127 port 80 - avant-age[.]fr - Compromised website
• 185.80.53[.]18 port 80 - link.guiaste[.]com[.]br - Gate

• 158.69.153[.]136 port 80 - winnow0.truthmeister[.]com - Angler EK
• port 80 - www.ecb.europa[.]eu - Connectivity check by the malware
• 95.211.205[.]229 port 80 - ncqauqvqqhhzpc[.]com - Bedep-related post-infection traffic
• 208.100.26[.]234 port 80 - yxcaoakqeovexx[.]com - Bedep-related post-infection traffic
• 54.186.220[.]79 port 80 - igpetlkpol9m[.]com - Bedep-related post-infection traffic
• 195.22.28[.]196 port 80 - agxtodofrldxwqnek[.]com - Bedep-related post-infection traffic
• 195.22.28[.]222 port 80 - sso.anbtr[.]com - Bedep-related post-infection traffic
• 195.22.28[.]197 port 80 - xsso.agxtodofrldxwqnek[.]com - Bedep-related post-infection traffic
• 166.78.145[.]90 port 80 - rnhbhnlmpvvdt[.]com - Bedep-related post-infection traffic
• 95.211.205[.]229 port 80 - ncqauqvqqhhzpc[.]com - Bedep-related post-infection traffic

• 89.38.149[.]123 port 80 - zmwcvhzpbb.goppre[.]eu - Neutrino EK
• 195.22.28[.]194 port 80 - 195.22.28[.]194 - Post-infection traffic for Neutrino EK
• 195.22.28[.]222 port 80 - sso.anbtr[.]com - Post-infection traffic for Neutrino EK
• 109.234.35[.]95 port 80 - 109.234.35[.]95 - Post-infection traffic for Neutrino EK
• 91.229.79[.]119 port 80 - 91.229.79[.]119 - Post-infection traffic for Neutrino EK

• NOTE: There were plenty of other domain names in the DNS traffic, and there were also other IP addresses using both UDP and TCP that can be found in the pcaps.

 

TRAFFIC FROM THE FIRST INFECTION (ANGLER EK):

• 2015-11-25 15:30:23 UTC - avant-age[.]fr - GET /
• 2015-11-25 15:30:25 UTC - link.guiaste[.]com[.]br - GET /view.js

• 2015-11-25 15:30:25 UTC - winnow0.truthmeister[.]com - GET /boards/viewforum.php?f=22281&sid=84.120x82xo9zix519r711

• 2015-11-25 15:30:30 UTC - winnow0.truthmeister[.]com - GET /amount.btapp?thing=&college=Q0qqQkI1&charge=K3-ta&purpose=&park=2Eub&county=lpqWqR0&
  strength=&must=K7f9AQfld&meeting=mILFo-FhICYcyvx

• 2015-11-25 15:30:30 UTC - winnow0.truthmeister[.]com - POST /boards/fire.page?problem=s9cQvik&growth=B751&black=&toward=dMF&procedure=SGkaL&
  patient=u1KH&under=&too=blG&law=kWtZXjH&strong=PzW&indeed=aVi5h-foUg&prevent=4K

• 2015-11-25 15:30:33 UTC - winnow0.truthmeister[.]com - GET /amount.btapp?thing=&college=Q0qqQkI1&charge=K3-ta&purpose=&park=2Eub&county=lpqWqR0&
  strength=&must=K7f9AQfld&meeting=mILFo-FhICYcyvx

• 2015-11-25 15:30:41 UTC - winnow0.truthmeister[.]com - GET /during.docmhtml?technique=&behind=ShKa&sit=ItrtXOlG&model=WGRZSxvn1N&later=y5lHYtv1pv&
  total=XQ-4&compare=gMb6zc-&set=YrdWA

• 2015-11-25 15:30:46 UTC - winnow0.truthmeister[.]com - GET /act.xfdl?gun=&another=IKr&watch=AMSt&person=DptFDxUd1&describe=eQzjbSlBgf&away=kWVpdA&
  fire=Aa2vW2&increase=8WllsiDgPa

• 2015-11-25 15:30:46 UTC - www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?ccf4216889bee4eaeeef9cc58cdd3595
• 2015-11-25 15:30:48 UTC - ncqauqvqqhhzpc[.]com - POST /index.php
• 2015-11-25 15:30:49 UTC - yxcaoakqeovexx[.]com - POST /include/functions_banning.php
• 2015-11-25 15:30:50 UTC - igpetlkpol9m[.]com - POST /include/functions_filesystemxml.php
• 2015-11-25 15:30:53 UTC - agxtodofrldxwqnek[.]com - POST /infraction.php
• 2015-11-25 15:30:54 UTC - sso.anbtr[.]com - GET /domain/agxtodofrldxwqnek[.]com
• 2015-11-25 15:30:56 UTC - xsso.agxtodofrldxwqnek[.]com - GET /0c9162280debd38b2b6788dffe1b1e4c
• 2015-11-25 15:30:59 UTC - rnhbhnlmpvvdt[.]com - POST /attachment.php
• 2015-11-25 15:35:59 UTC - agxtodofrldxwqnek[.]com - POST /include/functions_digest.php
• 2015-11-25 15:36:00 UTC - ncqauqvqqhhzpc[.]com - POST /login.php
• 2015-11-25 15:36:09 UTC - igpetlkpol9m[.]com - POST /include/class_dm_event.php

 

TRAFFIC FROM THE SECOND INFECTION (NEUTRINO EK):

• 2015-11-25 15:50:02 UTC - avant-age[.]fr - GET /
• 2015-11-25 15:50:05 UTC - link.guiaste[.]com[.]br - GET /view.js
• 2015-11-25 15:50:07 UTC - zmwcvhzpbb.goppre[.]eu - GET /spider/cmRwZmRkdHk
• 2015-11-25 15:50:07 UTC - zmwcvhzpbb.goppre[.]eu - GET /quarter/1471771/bewilder-splash-variety-background-troll-entertain
• 2015-11-25 15:50:09 UTC - zmwcvhzpbb.goppre[.]eu - GET /1978/08/12/telephone/rush-surround-spread-issue-drag-saint.html
• 2015-11-25 15:50:13 UTC - zmwcvhzpbb.goppre[.]eu - GET /1982/05/15/behind/blink-silk-punish-twelve-power-matter-heal-coin.html
• 2015-11-25 15:50:13 UTC - zmwcvhzpbb.goppre[.]eu - GET /slop/1785734/myth-plain-narrow-more-serious-depth-cigar-human-admire
• 2015-11-25 15:50:18 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:50:19 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:50:35 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:50:36 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:50:42 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:50:43 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:50:49 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:50:49 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:51:07 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:51:08 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:51:20 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:51:21 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:51:37 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:51:38 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:52:32 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:52:33 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 15:55:23 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 15:55:24 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 16:06:02 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 16:06:03 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 16:07:36 UTC - 109.234.35[.]95 - POST /forum/db.php
• 2015-11-25 16:08:10 UTC - 91.229.79[.]119 - POST /forum/db.php
• 2015-11-25 16:08:11 UTC - 91.229.79[.]119 - POST /forum/db.php
• 2015-11-25 16:09:13 UTC - 195.22.28[.]194 - POST /forum/db.php
• 2015-11-25 16:09:14 UTC - sso.anbtr[.]com - GET /domain/195.22.28[.]194
• 2015-11-25 16:11:32 UTC - 109.234.35[.]95 - POST /forum/db.php
• 2015-11-25 16:32:09 UTC - 109.234.35[.]95 - POST /forum/db.php

 

IMAGES

Shown above: Traffic from the Angler EK pcap filtered in Wireshark.

 

Shown above: Gate leading from the comrpomised website to the Angler EK landing page.

 

Shown above: Traffic from the Neutrino EK pcap filtered in Wireshark.

 

Shown above: Gate leading from the comrpomised website to the Neutrino EK landing page.

 

Click here to return to the main page.