2016-01-18 - TWO INFECTIONS (RIG AND ANGLER EK)

PCAP AND MALWARE:

• ZIP file of the two PCAPs:  2016-01-18-both-examples-of-EK-traffic.zip  1.8 MB (1,756,649 bytes)
• ZIP file of the malware and artifacts:  2016-01-18-Angler-and-Rig-EK-malware-and-artifacts.zip  646.4 kB (646,392 bytes)

 

FIRST PCAP

FILE DETAILS:

• PCAP name:  2016-01-18-Rig-EK-traffic.pcap
• Start time:  2016-01-18 20:43:14 UTC
• End time:  2016-01-18 20:43:44 UTC

 

ASSOCIATED DOMAINS:

• 103.1.175.1 port 80 - www.hotelarunachala.in - Compromised website
• 192.185.35.254 port 80 - hollistercarwash.com - Gate/redirect
• 46.30.42.198 port 80 - htr.drraffihovsepianreview.com - Rig EK

 

SECOND PCAP

FILE DETAILS:

• PCAP name:  2016-01-18-Angler-EK-sends-Bedep-traffic.pcap
• Start time:  2016-01-18 21:54:38 UTC
• End time:  2016-01-18 21:58:58 UTC

 

ASSOCIATED DOMAINS:

• 216.28.245.214 port 80 - coolrilla.com - Compromised website
• 5.189.216.103 port 80 - nic.artededirigir.com.br - Redirect/gate
• 185.49.69.25 port 80 - omondi-liczyli.jwsjustdothemath.com - Angler EK
• www.ecb.europa.eu - Connectivity check by the infected host
• 195.22.28.199 port 80 - aodncqkbqddauoyqk.com - Post-infection traffic
• 195.22.28.222 port 80 - sso.anbtr.com - Post-infection traffic
• 195.22.28.198 port 80 - xsso.aodncqkbqddauoyqk.com - Post-infection traffic
• 208.100.26.234 port 80 - letvnhhitrdk.com - Post-infection traffic
• 95.211.205.230 port 80 - qufsvzeigvlxdbw.com - Post-infection traffic
• 104.193.252.234 port 80 - lampubuntuadv.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 85.25.79.160 port 80 - reannewscomm.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 89.163.240.118 port 80 - kjnoa9sdi3mrlsdnfi.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 185.82.216.241 port 80 - lollytooneymoney.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 185.82.216.240 port 80 - allhobbyworldsnet.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 85.25.79.160 port 80 - reannewscomm.com - GET /ads.php?sid=1948   [Post-infection ad traffic]
• 89.163.240.119 port 80 - gerausports.com - GET /ads.php?sid=1948   [Post-infection ad traffic]

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file of the two PCAPs:  2016-01-18-both-examples-of-EK-traffic.zip  1.8 MB (1,756,649 bytes)
• ZIP file of the malware and artifacts:  2016-01-18-Angler-and-Rig-EK-malware-and-artifacts.zip  646.4 kB (646,392 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.