Malware-Traffic-Analysis.net - 2016-04-04 - Angler EK from 198.16.89.55 sends Bedep

2016-04-04 - ANGLER EK FROM 198.16.89.55 SENDS BEDEP

PCAP AND MALWARE:

ZIP archive of the pcap: 2016-04-04-Angler-EK-after-womenshowesweb.net.pcap.zip 784.6 kB (784,650 bytes)
ZIP archive of the malware and artifacts: 2016-04-04-Angler-EK-malware-and-artifacts.zip 436.0 kB (435,999 bytes)

NOTES:

Threatglass had an entry for this compromised site yesterday, and the pcap from that entry shows Rig EK.

Shown above: Pcap for this blog entry's traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

womenshoesweb.net - GET /jss/ - First unusual URL from compromised site
womenshoesweb.net - GET /ya/rK2M8tX6EgLqbFVyTc_NZA/1459797806 - Returned 302 redirect to Angler EK landing page
198.16.89.55 port 80 - ossenmarktenunwissentlich.mercerstreet.london - Angler EK
www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml - Bedep connectivitivy
82.141.230.141 port 80 - mhdvcwwgditvkq0k.com - POST /forum.php - Bedep post-infection
95.211.205.228 port 80 - tdngsjjipnhdczrl.com - POST /include/blog_functions_search.php - Bedep post-infection
95.211.205.228 port 80 - tdngsjjipnhdczrl.com - POST /calendar.php - Bedep post-infection
95.211.205.228 port 80 - tdngsjjipnhdczrl.com - POST /list.php - Bedep post-infection
95.211.205.228 port 80 - tdngsjjipnhdczrl.com - POST /register.php - Bedep post-infection
95.211.205.228 port 80 - tdngsjjipnhdczrl.com - POST /css.php - Bedep post-infection
85.25.41.95 port 80 - jjiwoow.mjobrkn3.eu - GET /ads.php?sid=1901 - Click-fraud traffic begins

Once again, here are the associated files:

ZIP archive of the pcap: 2016-04-04-Angler-EK-after-womenshowesweb.net.pcap.zip 784.6 kB (784,650 bytes)
ZIP archive of the malware and artifacts: 2016-04-04-Angler-EK-malware-and-artifacts.zip 436.0 kB (435,999 bytes)

The ZIP files are password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.