Notes
  • Quick update on Angler dropping something other than CryptoWall 3.0
  • Tinba payload via Andromeda/Gamarue dropped by Angler EK
PCAP and Malware
Compromised Domain and Redirect

2015-07-07 15:23:26 UTC - 79.170.40.165 - arcskillsforwork.com - GET /

Angler EK Traffic

2015-07-07 15:23:33 UTC - 74.63.237.181 - mycodersrcbamboesfluitjie.buymaverickstickets.com - GET /snowstorms.php?qi=A&mt=wHCxw-RYxn&qd=EvUHDsTx7Yie&v=pSgkURGuEjOg9_&n=sOhQ0tMqq&d=qVep&le=Jq0HTEp7XxT6K_eEInFGHUhefie&qx=Rg&fu=e-_Ha6sjMQJ1Eet&k=skPVK&hs=M
2015-07-07 15:23:36 UTC - 74.63.237.181 - mycodersrcbamboesfluitjie.buymaverickstickets.com - GET /rather.xws?second=SyV-&express=UfVK4NF2S&suddenly=&hospital=jS0&complete=tja-GV15tC&demand=Pe8&discover=A1_PAkz6Ry&better=ndL8t&come=Nhdz
2015-07-07 15:23:39 UTC - 74.63.237.181 - mycodersrcbamboesfluitjie.buymaverickstickets.com - GET /occur.asr?need=&next=0YtxeBs&from=0f3XY&obtain=bGJ&whole=oMlfs&yet=8gr-5z&hill=a8HrxP6JUdJ6ZRmuU8aNsE
2015-07-07 15:23:42 UTC - 74.63.237.181 - mycodersrcbamboesfluitjie.buymaverickstickets.com - GET /manner.wdgt?remain=&because=j6n8n&decision=Kjp97&spend=&possible=qbXnDauU&place=&kind=s76szKcCy&number=&pass=i3tmuNJm54&type=LYJr5dvG&international=&recent=TFF
2015-07-07 15:23:44 UTC - 74.63.237.181 - mycodersrcbamboesfluitjie.buymaverickstickets.com - GET /early.dbm?however=uqcO4lN0&many=&but=0nhQh2DCCb&also=&issue=1ebE8Ks&tree=&national=iWql&cause=n5sOEq&mother=umSDbD3NWupIr

Post-Infection Gamarue/Andoromeda & Tinba Traffic

2015-07-07 15:24:21 UTC - 185.45.193.165 - insections.biz - POST /2FDbd5Srrr/img.php
2015-07-07 15:24:22 UTC - 185.45.193.165 - insections.biz - GET /2FDbd5Srrr/img/kl.mod
2015-07-07 15:24:23 UTC - 185.45.193.165 - insections.biz - POST /2FDbd5Srrr/img.php
2015-07-07 15:24:23 UTC - 185.45.193.165 - insections.biz - GET /2FDbd5Srrr/bin.exe
2015-07-07 15:24:24 UTC - 185.45.193.165 - insections.biz - POST /2FDbd5Srrr/img.php
2015-07-07 15:24:57 UTC - 104.18.44.10 - mgfrllmmjiiy.pw - POST /HUERuV20Bb/
2015-07-07 15:25:00 UTC - 104.18.44.10 - mgfrllmmjiiy.pw - POST /HUERuV20Bb/

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-07-07 15:23:29 UTC - 79.170.40.165:80 -> 192.168.2.64:49164 - ET CURRENT EVENTS Possible Evil Redirector Leading to EK June 10 2015
2015-07-07 15:23:30 UTC - 79.170.40.165:80 -> 192.168.2.64:49164 - ET CURRENT EVENTS Possible Evil Redirector Leading to EK June 10 2015
2015-07-07 15:23:34 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M4
2015-07-07 15:23:34 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-07 15:23:34 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015
2015-07-07 15:23:34 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 15 2015
2015-07-07 15:23:37 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 15 2015
2015-07-07 15:23:37 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-07-07 15:23:37 UTC - 192.168.2.64:49211 -> 74.63.237.181:80 - ET POLICY Outdated Windows Flash Version IE
2015-07-07 15:23:37 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Possible Angler EK Flash Exploit June 16 2015 M1
2015-07-07 15:23:37 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Angler EK Flash Exploit M2
2015-07-07 15:23:40 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-07 15:23:40 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (12)
2015-07-07 15:23:40 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-07-07 15:23:40 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (23)
2015-07-07 15:23:40 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (11) M2
2015-07-07 15:23:42 UTC - 74.63.237.181:80 -> 192.168.2.64:49211 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (24)
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (25)
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (16) M2
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (26)
2015-07-07 15:23:45 UTC - 74.63.237.181:80 -> 192.168.2.64:49311 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (27)
2015-07-07 15:23:47 UTC - 192.168.2.64:49315 -> 65.55.252.71:80 - ET POLICY Application Crash Report Sent to Microsoft
2015-07-07 15:24:21 UTC - 192.168.2.64:49331 -> 185.45.193.165:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-07-07 15:24:21 UTC - 192.168.2.64:49331 -> 185.45.193.165:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-07-07 15:24:22 UTC - 192.168.2.64:49332 -> 185.45.193.165:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-07-07 15:24:23 UTC - 192.168.2.64:49334 -> 185.45.193.165:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-07-07 15:24:23 UTC - 192.168.2.64:49334 -> 185.45.193.165:80 - ET CURRENT EVENTS Possible Dridex Campaign Download Nov 11 2014
2015-07-07 15:24:24 UTC - 185.45.193.165:80 -> 192.168.2.64:49334 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-07-07 15:24:23 UTC - 192.168.2.64:49334 -> 185.45.193.165:80 - ET CURRENT EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2015-07-07 15:24:23 UTC - 192.168.2.64:49333 -> 185.45.193.165:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-07-07 15:24:23 UTC - 192.168.2.64:49333 -> 185.45.193.165:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-07-07 15:24:25 UTC - 192.168.2.64:49349 -> 185.45.193.165:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-07-07 15:24:25 UTC - 192.168.2.64:49349 -> 185.45.193.165:80 - ETPRO TROJAN Andromeda/Gamarue Checkin
2015-07-07 15:24:57 UTC - 192.168.2.64:49657 -> 104.18.44.10:80 - ET TROJAN Tinba Checkin 2
2015-07-07 15:25:01 UTC - 192.168.2.64:49679 -> 104.18.44.10:80 - ET TROJAN Tinba Checkin 2

Preliminary Malware Analysis
PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates