Malware-Traffic-Analysis.net - My technical blog posts - 2015

MY TECHNICAL POSTS - [ 2013 ] - [ 2014 ] - [ 2015 ] - [ 2016 ] - [ 2017 ] - [ 2018 ] - [ 2019 ]

2015-12-31 -- Follow up to ISC diary about actor using Rig EK to deliver Qbot
2015-12-30 -- Pcap and malware for an ISC diary I wrote
2015-12-29 -- Angler EK from 185.86.77.52 sends Bedep
2015-12-28 -- Angler EK from 207.182.133.69 sends TeslaCrypt
2015-12-21 -- Angler EK sends CryptoWall
2015-12-18 -- Pcap and malware for an ISC diary I wrote
2015-12-17 -- Pcap and malware for an ISC diary I wrote
2015-12-16 -- Angler EK from 51.255.146.65 sends CryptoWall
2015-12-14 -- Angler EK from 51.255.131.66 sends CryptoWall
2015-12-09 -- Pcap and malware for an ISC diary I wrote
2015-12-08 -- Angler EK from 185.46.8.218 sends CryptoWall
2015-12-04 -- Angler EK from 188.120.247.14 sends TeslaCrypt
2015-12-03 -- Angler EK from 178.90.159.71 sends CryptoWall

2015-11-30 -- Angler EK sends CryptoWall
2015-11-27 -- Angler EK from 5.135.65.146 - lvx1wv.ynglrv01.xyz
2015-11-25 -- Gate led to Angler EK - same gate led to Neutrino EK
2015-11-25 -- Pcap and malware for an ISC diary I wrote
2015-11-23 -- Angler EK from 51.255.25.10 sends CryptoWall 3.0
2015-11-23 -- BizCN gate actor from 5.175.193.253 sends CrytpWall 4.0
2015-11-22 -- BizCN gate actor from 5.175.194.135
2015-11-21 -- BizCN gate actor from 5.175.185.20 sends CryptoWall 4.0
2015-11-20 -- BizCN gate actor from 5.231.54.59 sends CryptoWall 4.0
2015-11-20 -- Angler EK from 209.133.203.204 sends CryptoWall 3.0
2015-11-19 -- BizCN gate actor from 5.231.54.59 sends CryptoWall 3.0
2015-11-19 -- Pcap and malware for an ISC diary I wrote
2015-11-17 -- Rig EK from 46.30.46.146 - wef.grassrooters.org
2015-11-16 -- Malicious script with backward URL leads to Rig EK
2015-11-15 -- BizCN gate actor Nuclear EK from 212.231.129.35
2015-11-12 -- Nuclear EK from 104.236.62.254 sends CryptoWall 3.0
2015-11-10 -- Angler EK sends Tinba banking Trojan
2015-11-09 -- Nuclear EK from 178.62.8.117 sends Andromeda/CTB-Locker
2015-11-09 -- Angler EK sends Bedep
2015-11-05 -- Pcap and malware for an ISC diary I wrote
2015-11-02 -- Rig EK from 46.30.46.21

2015-10-30 -- Nuclear EK from 188.166.65.14
2015-10-27 -- Compromised WordPress site --> Angler EK --> TeslaCrypt 2.1
2015-10-23 -- Compromised Drupal site --> Angler EK --> TeslaCrypt 2.0
2015-10-21 -- Neutrino EK from 89.38.150.119 sends Necurs
2015-10-20 -- 052F gate Nuclear EK fm 178.62.143.149 sends CryptoWall 3.0 / Andromeda
2015-10-19 -- 052F gate Nuclear EK from 178.62.4.34
2015-10-18 -- BizCN gate Nuclear EK from 5.175.148.193 sends CryptoWall 3.0
2015-10-18 -- Angler EK sends Bedep and Vawtrak
2015-10-16 -- Angler and 052F gate Nuclear EK from the same compromised website
2015-10-13 -- Neutrino EK from 81.2.241.147
2015-10-13 -- Angler EK from 188.138.105.137 sends CryptoWall 3.0
2015-10-12 -- Angler EK from 217.172.170.4 sends Bedep
2015-10-08 -- Three examples of Nuclear EK from 188.226.215.37
2015-10-05 -- Nuclear EK from 108.61.189.157 - 2whnxtj0ax1nudv.spoolhostz.ml

2015-09-29 -- Angler EK from 85.25.102.2 sends CryptoWall 3.0
2015-09-29 -- Nuclear EK from 162.247.14.204 - kolenkovolodki.cf
2015-09-23 -- Bartalex malspam sends Pony and Vawtrak
2015-09-22 -- Nuclear EK from 46.101.165.112 - bagrewakokugre.ml
2015-09-21 -- Rig EK from 46.30.43.111 - reh.healtzkart.org
2015-09-18 -- Nuclear EK from 178.62.72.26 - oaacderesftu.tk
2015-09-16 -- Neutrino EK from 89.38.149.168 sends CryptoWall 3.0
2015-09-16 -- Nuclear EK from 162.247.14.156 sends TeslaCrypt 2.0
2015-09-15 -- Angler EK from 185.49.68.129 sends Bedep
2015-09-15 -- Nuclear EK from 162.247.14.136 sends TeslaCrypt 2.0
2015-09-14 -- Angler EK from 207.182.157.157 sends CryptoWall 3.0
2015-09-14 -- BizCN gate actor Neutrino EK from 46.108.156.189 port 35827
2015-09-11 -- BizCN gate actor Neutrino EK from 46.108.156.189 port 32393
2015-09-10 -- Angler EK from 62.109.9.60
2015-09-08 -- Neutrino EK from 46.108.156.190 sends CryptoWall 3.0
2015-09-04 -- Upatre/Dyre malspam - Subj: Scanned Image from a Xerox WorkCentre
2015-09-03 -- Angler sends TeslaCrypt 2.0 one day, then CryptoWall 3.0 the next
2015-09-02 -- Neutrino EK from 46.108.156.181 sends TeslaCrypt 2.0

2015-08-28 -- BizCN gate actor examples
2015-08-27 -- Angler EK from 74.63.210.179 sends TeslaCrypt 2.0
2015-08-26 -- Upatre/Dyre malspam
2015-08-24 -- Angler EK from 31.148.219.194 sends TeslaCrypt 2.0
2015-08-24 -- Rig EK from 94.142.140.222 - load.ledrequired.com
2015-08-19 -- BizCN gate actor Nuclear EK from 31.214.157.20 - blizfone.cf
2015-08-17 -- Rig EK from 94.142.139.186 - life.mirage-inc.com
2015-08-17 -- Angler EK sends Bedep - 94.23.170.230 - povazan.spacediscussions.com
2015-08-14 -- BizCN gate actor Nuclear EK from 89.238.181.74 - free3dprint.cf
2015-08-14 -- Nuclear EK from 95.85.21.30 - bacuhytgbnvedhhko.ml
2015-08-13 -- Angler EK from 176.9.197.68 sends CryptoWall 3.0
2015-08-12 -- Nuclear EK from 188.166.1.98 - aabeweddbhujkoge.cf
2015-08-10 -- Angler EK from 144.76.161.249 sends Bedep
2015-08-07 -- Rig EK from 46.30.46.24 - add.ellicottvillerealestate.com
2015-08-06 -- Adwind malspam examples
2015-08-05 -- An example of legitimate Java update traffic
2015-08-03 -- Rig EK on 46.30.46.26

2015-07-31 -- Angler EK from 69.162.112.181 sends CryptoWall 3.0
2015-07-30 -- BizCN gate actor Nuclear EK on 46.101.18.39
2015-07-27 -- Angler EK from 69.162.116.253 sends CryptoWall 3.0
2015-07-23 -- Angler EK from 216.245.213.141 sends CryptoWall 3.0
2015-07-22 -- Nuclear EK changes URL patterns
2015-07-20 -- Nuclear EK sends TelsaCrypt 2.0
2015-07-17 -- BizCN gate actor Nuclear EK on 188.166.120.33 sends CryptoWall 3.0
2015-07-17 -- Magnitude EK from 188.42.244.146
2015-07-17 -- Angler EK from 69.162.90.107 sends Bedep
2015-07-16 -- Neutrino EK from 82.211.30.153 port 31251
2015-07-16 -- Rig EK from 46.30.42.238
2015-07-16 -- BizCN gate actor Nuclear EK on 216.170.114.126
2015-07-16 -- Angler EK from 206.190.134.188 sends CryptoWall 3.0
2015-07-15 -- BizCN gate actor Nuclear EK on 104.207.131.131
2015-07-15 -- Angler EK from 185.48.58.51 sends CryptoWall 3.0
2015-07-14 -- BizCN gate actor Nuclear EK on 108.61.167.124
2015-07-14 -- Angler EK - Two examples - Bedep & CryptoWall 3.0
2015-07-13 -- BizCN gate actor Nuclear EK on 185.92.220.196
2015-07-13 -- Angler EK from 136.243.96.94 sends CryptoWall 3.0
2015-07-10 -- Angler EK from 176.9.245.142 sends CryptoWall 3.0
2015-07-10 -- Neutrino EK - 3 examples
2015-07-09 -- BizCN gate actor Nuclear EK on 104.238.187.29
2015-07-09 -- Angler EK - 2 examples (CryptoWall 3.0 and Bedep)
2015-07-08 -- BizCN gate actor Nuclear EK on 108.61.188.92
2015-07-08 -- Angler EK sends CryptoWall 3.0 - 2 examples
2015-07-07 -- BizCN gate actor Nuclear EK
2015-07-07 -- Angler EK traffic - 2 examples
2015-07-06 -- Angler EK from 74.63.217.220 sends CryptoWall 3.0
2015-07-05 -- BizCN gate actor switches from Fiesta to Nuclear EK
2015-07-05 -- Angler EK from 5.196.183.76 sends CryptoWall 3.0
2015-07-03 -- Angler EK sends CryptoWall 3.0
2015-07-02 -- Fiesta EK from 66.225.219.224 - jackkwizc.ddnsking.com

2015-06-17 -- Angler EK from 213.133.111.21 sends CryptoWall 3.0
2015-06-16 -- Angler EK from 46.4.235.1 sends CryptoWall 3.0
2015-06-15 -- Angler EK from 46.4.235.3 sends Bedep
2015-06-12 -- Nuclear EK from 108.61.178.68
2015-06-12 -- Angler EK sends CryptoWall 3.0 (again)
2015-06-09 -- Malspam campaign sending CryptoWall 3.0 continues
2015-06-09 -- Angler EK still on a "cryptowall rampage"
2015-06-08 -- Angler EK - more changes in traffic patterns
2015-06-05 -- Angler EK from 209.133.200.228 sends Bedep and Necurs
2015-06-04 -- Resume malspam sending CryptoWall 3.0
2015-06-03 -- Details from SANS ISC diary on Exploit Kit Roundup
2015-06-01 -- Angler EK from 94.242.192.222 sends Bedep and Necurs

2015-05-26 -- Angler EK sends Bedep, host infected with CryptoWall 3.0
2015-05-25 -- Angler EK delivers ransomware
2015-05-22 -- Fiesta EK from BizCN actor
2015-05-18 -- Angler EK sends Bedep
2015-05-15 -- Angler EK from 178.63.174.153 - sends Bedep & Necurs
2015-05-14 -- Nuclear EK from 109.234.37.12 - sends Necurs
2015-05-14 -- Nuclear EK delivers more ransomware
2015-05-14 -- Angler EK delivers more ransomware
2015-05-11 -- Malspam campaign - fake American Airlines messages
2015-05-07 -- Angler EK from 94.242.255.60 delivers more ransomware
2015-05-07 -- Angler EK from 94.242.255.60 delivers Alpha Crypt ransomware
2015-05-06 -- Rig EK changed how it sends the malware payload
2015-05-06 -- Angler EK from 94.242.255.59 delivers Alpha Crypt ransomware
2015-05-05 -- Angler EK from 94.242.255.53

2015-04-30 -- Angler EK delivers Alpha Crypt ransomware
2015-04-25 -- Angler EK followed by Magnitude EK during post-infection
2015-04-24 -- Neutrino EK from 193.242.211.149
2015-04-15 -- Dridex malspam about failed wire transfers
2015-04-09 -- Nuclear EK delivers Troldesh ransomware
2015-04-06 -- What's Neutrino EK been up to lately?
2015-04-03 -- Nuclear EK drops Telsacrypt malware
2015-04-02 -- Angler, Fiesta, Nuclear, and Dridex traffic/malware
2015-04-01 -- Angler EK from 209.126.113.76

2015-03-30 -- Fiesta EK from 205.234.186.113 pushes Simda malware
2015-03-27 -- Angler EK and Magnitude EK
2015-03-26 -- Fiesta EK from 217.172.170.17 - mcghmeneuc.servepics.com
2015-03-25 -- Angler EK pushes ransomware
2015-03-24 -- Malspam generates Chanitor/Vawtrak
2015-03-18 -- Upatre/Dyre malspam - Subject: FW: Customer account docs
2015-03-17 -- Fiesta EK from 217.172.170.6 - iueloxp.servepics.com
2015-03-16 -- Examples of Nuclear EK pushing Kelihos
2015-03-01 -- Magnitude EK from 188.138.68.68

2015-02-23 -- Sweet Orange EK from 95.183.8.177 - h.rockyhillrealtor.com:8085
2015-02-16 -- Chanitor/Vawtrak malspam - Subject: E-ticket from American Airlines
2015-02-13 -- Magnitude EK - 46.166.182.101
2015-02-11 -- Windigo Group Nuclear EK
2015-02-10 -- Angler EK from 151.80.94.250
2015-02-09 -- Sweet Orange EK from 91.224.141.64
2015-02-09 -- Chanitor/Vawtrak malspam - Subject: USPS Delivery Notification
2015-02-06 -- Traffic pattern change in CryptoWall 3.0 sample
2015-02-06 -- Rig EK from 46.182.30.163 pushing Kronos
2015-02-05 -- BizCN gate actor changes IPs, domain names, and URL pattern for its gate
2015-02-04 -- Nuclear EK from 5.9.120.123 - zxc.mivycem.com
2015-02-02 -- Malspam run pushes Chanitor
2015-02-01 -- Nuclear EK from 178.62.250.102 - discreettarget.cf

2015-01-31 -- KaiXin EK from 103.251.38.20:802 - EK payload from 210.109.101.13
2015-01-30 -- Angler EK from 178.32.131.248 - 6jd5c9.ckk.creacionesliterarias-kirk.com
2015-01-29 -- Nuclear EK from 178.62.149.46 - culturemerge.ga - Vawtrak payload
2015-01-28 -- Ad traffic from lax1.ib.adnxs.com kicks off chain of events to Angler EK
2015-01-27 -- Upatre/Dyre malspam wave - Subject: Voice Message
2015-01-26 -- Dridex malspam wave - Subject: Berendsen UK Ltd Invoice 60020918 117
2015-01-26 -- Neutrino EK from 108.61.197.150 port 28623 (Vawtrak/NeverQuest payload)
2015-01-23 -- Nuclear EK pushes Vawtrak/NeverQuest
2015-01-23 -- Windigo group Nuclear EK from 188.40.64.218
2015-01-22 -- Angler EK from 64.251.14.164 and 207.182.149.13
2015-01-21 -- Upatre/Dyre phishing run - Subject: Employee Documents - Internal Use
2015-01-20 -- BBVA Bancomer phishing emails
2015-01-20 -- Fiesta EK from 205.234.186.112 - justtattoshop.in
2015-01-18 -- Nuclear EK from 188.226.241.6 - nightglass.cf and nightglass.ga
2015-01-13 -- Dyre phishing run - Subject: Your tax return was incorrectly filled out
2015-01-12 -- Sweet Orange EK from 185.16.40.228 port 9633
2015-01-08 -- Malware hosted on 82.244.160.22
2015-01-07 -- Recent Dridex phishing campaign
2015-01-03 -- KaiXin EK from 119.147.137.128 - as2.22wdasda.cc
2015-01-02 -- Fake Target phishing emails from the Asprox botnet
2015-01-01 -- Phishing email - Subject: FW: Confirmed PO 327872
2015-01-01 -- Nuclear EK (Operation Windigo) from 67.215.2.195

Return to main menu
RSS feed
@malware_traffic on Twitter

Traffic analysis exercises
My technical blog posts
My non-technical posts
Guest blog posts

Tutorials and other entries

About this blog

Copyright © 2015 | Malware-Traffic-Analysis.net