2016-03-23 - TWO EXAMPLES OF ANGLER EK

ASSOCIATED FILES:

• ZIP archive of both pcaps:  2016-03-23-Angler-EK-both-pcaps.zip  3.4 MB (3,384,715 bytes)
• ZIP archive of the malware and artifacts:  2016-03-23-Angler-EK-malware-and-artifacts.zip  1.1 MB (1,112,072 bytes)

 

PCAPS AND MALWARE:

• I wrote about the latest patterns in pseudo-Darkleech at:

• http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/

• This "other" Angler EK is definitely an identifiable campaign.  I first saw this pattern of injected script on Tuesday 2016-03-15, but I'm not sure what to call it yet.

 

ASSOCIATED DOMAINS

FIRST PCAP:

• 82.146.62.52 port 80 - zmienna.machynllethfestival.org.uk - Angler EK   [pseudo-Darkleech]
• 64.20.35.186 port 80 - diwali2k15.in - POST /sysstr.php - TeslaCrypt post-infection traffic
• 50.31.14.17 port 80 - samuday.org - POST /sysstr.php - TeslaCrypt post-infection traffic
• 103.27.87.88 port 80 - maxmpl.com - POST /sysstr.php - TeslaCrypt post-infection traffic

SECOND PCAP:

• 89.108.83.91 port 80 - chunky.enchantingweddingsandevents.co.uk - Angler EK   [other]

• www.ecb.europa.eu - XML file downloaded by Bedep
• 104.193.252.245 port 80 - vqpydhheirk2i.com - DGA domain possibly related to Bedep
• 82.141.230.141 port 80 - mbeovojxluwhanww.com - DGA domain possibly related to Bedep
• 82.141.230.141 port 80 - voscngylqtnjzpe.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - axeqiohhxjma.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - nogwgoeupdqevg.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - sfiyyjmygfvgphovpu.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - sxycudvinytb4p.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - thzccdpefxdrb0.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - tnqhywwuguhaig.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - yoxxuihfbffhp5.com - DGA domain possibly related to Bedep
• 198.105.244.228 port 80 - zcbvstaxjtyglpxei8.com - DGA domain possibly related to Bedep

• 162.244.32.121 port 80 - bookersmartest.xyz - GET /ads.php?sid=1826 - Click-fraud traffic begins
• 104.193.252.234 port 80 - lovelyroomsforday.com - GET /ads.php?sid=182 - Click-fraud traffic begins
• 162.244.32.122 port 80 - daytonamagik.com - GET /ads.php?sid=1826 - Click-fraud traffic begins
• 89.163.240.118 port 80 - kjnoa9sdi3mrlsdnfi.com - GET /ads.php?sid=1826 - Click-fraud traffic begins
• 89.163.241.90 port 80 - jimmymorisonguitars.com - GET /ads.php?sid=1826 - Click-fraud traffic begins
• 85.25.41.95 port 80 - moregoodstafsforus.com - GET /ads.php?sid=1826 - Click-fraud traffic begins

• 64.20.35.186 port 80 - diwali2k15.in - POST /sysstr.php - TeslaCrypt post-infection traffic
• 50.31.14.17 port 80 - samuday.org - POST /sysstr.php - TeslaCrypt post-infection traffic
• 103.27.87.88 port 80 - maxmpl.com - POST /sysstr.php - TeslaCrypt post-infection traffic

• 188.120.231.185 port 80 - 74.125.226.176 - POST /stat1.php - Other post-infection traffic

 

MALWARE AND ARTIFACTS

Contents of today's archive with the malware and artifacts:

• SHA256 hash:  2af7a33ffd6755d6046112b33b9018b1c3bb012b332cda4b8b0a30759ec67a18
  File name:  2016-03-23-TeslaCrypt-decrypt-instructions.txt

• SHA256 hash:  13e62c23322cf915171d874f14ebfd21abf16e58270aff58316f624ad144a3a3
  File name:  2016-03-23-injected-script-from-cbsconsulting.com.txt

• SHA256 hash:  ae295ee7804a316153434783d83c2fbc63954a9384e2343a349be88a84e4ffed
  File name:  2016-03-23-malware-after-other-Angler-EK-caused-Bedep-infection-1-of-2-TeslaCrypt.exe

• SHA256 hash:  c44b368f73ffc548e5253643a0c4d33fb8f0a91b5d7fd948bfb1f3ba9b204e1c
  File name:  2016-03-23-malware-after-other-Angler-EK-caused-Bedep-infection-2-of-2.exe

• SHA256 hash:  60f049fd94527991fe7d6ab2a5c8b000cf88bc2b21ead056a53233b348b65458
  File name:  2016-03-23-other-Angler-EK-flash-exploit-after-cbsconsultinggroup.com.swf

• SHA256 hash:  077545cf2c63cab61b5b49875027847a12e6f254f89a9cd8accc51b107688fcf
  File name:  2016-03-23-other-Angler-EK-landing-page-after-cbsconsultinggroup.com.txt

• SHA256 hash:  0452cf22c867621c99a43564bef4d4cfe453c594b25667fc4d1fe412d0b335dc
  File name:  2016-03-23-other-Angler-EK-silverlight-exploit-after-cbsconsulting.com.xap

• SHA256 hash:  c9eaf3480afe4cbddcd9df13d8577bfa0cae52b647eeb81253d45d826a41bc92
  File name:  2016-03-23-other-malware-retrieved-after-Angler-EK-caused-Bedep-infection-actxprxy.dll

• SHA256 hash:  ce3a9bcdbfa2f76fea7f5a13bfe46e770ad5ab1b0ab224b7018ddd22aa9da026
  File name:  2016-03-23-page-from-bpsintegrations.com-with-malicious-script.txt

• SHA256 hash:  9ed422779f846be0e630c75a8eaf8a46909e9a72ec2e3477775d0ce9ae476540
  File name:  2016-03-23-pseudo-Darkleech-Angler-Ek-flash-exploit-after-bpsintegrations.com.swf

• SHA256 hash:  71b69881e549f6faaa82de459f3db239cebccea0e59f3447658ed4fd4c633ce4
  File name:  2016-03-23-pseudo-Darkleech-Angler-Ek-landing-page-after-bpsintegrations.com.txt

• SHA256 hash:  ba8ca1c7ba3b0d615c0b3957004cc5f16f8c0d77c5f65aed88e3157cdeec6db0
  File name:  2016-03-23-pseudo-Darkleech-Angler-Ek-payload-TeslaCrypt-after-bpsintegrations.com.exe

 

IMAGES

Shown above:  Pcaps for this blog entry's traffic filtered in Wireshark.

 

Shown above:  Start of pseudo-Darkleech injected script in page from first compromised website.

 

Shown above:  Other injected script in page from first compromised website (did not go to an EK).

 

Shown above:  Injected script in page from second compromised website.

 

Shown above:  Decrypt instructions from today's TeslaCrypt samples.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of both pcaps:  2016-03-23-Angler-EK-both-pcaps.zip  3.4 MB (3,384,715 bytes)
• ZIP archive of the malware and artifacts:  2016-03-23-Angler-EK-malware-and-artifacts.zip  1.1 MB (1,112,072 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.