Notes
  • Quick update here on Angler EK, no malware for this one
  • This sample was found on Threatglass; http://threatglass.com/malicious_urls/starmusiq-com
  • Different landing page URI than what I normally see with Angler EK (such as hxxp://bad.domain.com/something-something-something-something/[lotsofnumbers].html)

PCAP
Angler EK Traffic

2015-05-18 01:49:18 UTC - 212.109.218.125 - rznsh8.hub.fishingcharterhub.net - GET /queueingflaky/758402138783780
2015-05-18 01:49:21 UTC - 212.109.218.125 - rznsh8.hub.fishingcharterhub.net - GET /X8Fgjytp _ RycMy1krmeK9f1IXBxHzfO4QKnFIJFIhNhWkfm2
2015-05-18 01:49:35 UTC - 212.109.218.125 - rznsh8.hub.fishingcharterhub.net - GET /u4PH3ESNthSNiLOgK6zLRkHmHHinmKoUMVfYJDP60IiB-voW

Post-Infection Bedep Checkin & Traffic

2015-05-18 01:49:34 UTC - 208.113.226.171 - earthtools.org - POST /timezone/0/0
2015-05-18 01:49:37 UTC - 46.45.137.68 - sodshqsqkikrk0c.com - POST /forum.php
2015-05-18 01:50:09 UTC - 46.45.137.68 - sodshqsqkikrk0c.com - POST /include/classdmevent.php
2015-05-18 01:50:18 UTC - 46.45.137.68 - sodshqsqkikrk0c.com - POST /include/functions _ picturecomment.php
2015-05-18 01:50:38 UTC - 96.6.122.128 - download.microsoft.com - GET /download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1 _ x86.exe
2015-05-18 01:50:44 UTC - 46.45.137.68 - sodshqsqkikrk0c.com - POST /list.php
2015-05-18 01:50:50 UTC - 96.6.122.128 - download.microsoft.com - GET /download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.7

2015-05-18 01:49:22 UTC - 212.109.218.125:80 -> 192.168.60.10:1134 - ETPRO CURRENT EVENTS Angler EK Payload T1 April 29 2015 M2
2015-05-18 01:49:22 UTC - 192.168.60.10:1134 -> 212.109.218.125:80 - ET CURRENT EVENTS Angler EK Payload DL M2 Feb 06 2015
2015-05-18 01:49:34 UTC - 192.168.60.10:1135 -> 208.113.226.171:80 - ET TROJAN Possible Bedep Connectivity Check (2)
2015-05-18 01:49:35 UTC - 212.109.218.125:80 -> 192.168.60.10:1133 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M2
2015-05-18 01:49:35 UTC - 212.109.218.125:80 -> 192.168.60.10:1133 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M3
2015-05-18 01:49:35 UTC - 212.109.218.125:80 -> 192.168.60.10:1133 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M5
2015-05-18 01:49:35 UTC - 212.109.218.125:80 -> 192.168.60.10:1133 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M5
2015-05-18 01:49:35 UTC - 192.168.60.10:1133 -> 212.109.218.125:80 - ET POLICY Outdated Windows Flash Version IE
2015-05-18 01:49:35 UTC - 192.168.60.10:1133 -> 212.109.218.125:80 - ET CURRENT EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015
2015-05-18 01:49:36 UTC - 192.168.60.10:1136 -> 23.10.139.136:80 - ET TROJAN Possible Bedep Connectivity Check
2015-05-18 01:49:37 UTC - 192.168.60.10:1146 -> 46.45.137.68:80 - ETPRO TROJAN Bedep HTTP POST CnC Beacon
2015-05-18 01:50:10 UTC - 46.45.137.68:80 -> 192.168.60.10:1146 - ET TROJAN Bedep Checkin Response
2015-05-18 01:50:10 UTC - 192.168.60.10:1146 -> 46.45.137.68:80 - ETPRO TROJAN Bedep HTTP POST CnC Beacon
2015-05-18 01:50:12 UTC - 46.45.137.68:80 -> 192.168.60.10:1146 - ETPRO TROJAN Bedep CnC Beacon Response
2015-05-18 01:50:19 UTC - 192.168.60.10:1146 -> 46.45.137.68:80 - ETPRO TROJAN Bedep HTTP POST CnC Beacon
2015-05-18 01:50:38 UTC - 96.6.122.128:80 -> 192.168.60.10:1156 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-05-18 01:50:40 UTC - 43.225.38.217:443 -> 192.168.60.10:1157 - ETPRO TROJAN Win32/Tofsee Loader Config Download
2015-05-18 01:50:50 UTC - 96.6.122.128:80 -> 192.168.60.10:1161 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-05-18 01:50:50 UTC - 23.10.143.109:80 -> 192.168.60.10:1154 - ET POLICY Microsoft user-agent automated process response to automated request

Traffic Screenshots

PCAP

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates