Notes
  • Angler EK pushing Bedep click-fraud malware
  • Later in the stream of ad-fraud traffic, another Angler EK landing page was hit
  • No malware this time, just network traffic and PCAP
PCAP and Malware
Compromised Domain and Redirect

2015-08-31 20:41:17 UTC - 23.21.241.163 - drinkallsport.com - GET /

Angler EK Traffic

2015-08-31 20:41:26 UTC - 144.76.143.121 - kindskin.princessbeverly.com - GET /boards/viewforum.php?f=1861s&sid=8q.65w425946181b77re88&
2015-08-31 20:41:35 UTC - 144.76.143.121 - kindskin.princessbeverly.com - GET /table.nxg?wall=&is=U5peWKTyq&every=&ready=aBJ_&half=&national=qURmAgBIQ&period=41CMceHloOv6rw-KNaUl0zfMF2

Post-Infection Bedep Traffic

2015-08-31 20:41:43 UTC - 96.17.232.70 - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?eda5ea6beafee1454fd5d12061f1e920
2015-08-31 20:41:44 UTC - 83.149.127.9 - odmwooyyfoysnc.com - POST /forum.php
2015-08-31 20:41:47 UTC - 83.149.127.9 - odmwooyyfoysnc.com - POST /postings.php
2015-08-31 20:42:09 UTC - 83.149.127.9 - odmwooyyfoysnc.com - POST /css.php
2015-08-31 20:43:36 UTC - 83.149.127.9 - odmwooyyfoysnc.com - POST /forum.php
2015-08-31 20:43:41 UTC - 83.149.127.9 - odmwooyyfoysnc.com - POST /widget.php
2015-08-31 20:44:43 UTC - 37.48.110.162 - j0lodbsnafz.com - GET /ads.php?sid=1923
2015-08-31 20:44:43 UTC - 95.211.156.140 - dtjqugz5wkc.com - GET /ads.php?sid=1923
2015-08-31 20:44:43 UTC - 46.45.137.77 - wmp92v9i6ndn.com - GET /ads.php?sid=1923
2015-08-31 20:44:43 UTC - 95.211.189.119 - axs25xuo8c.com - GET /ads.php?sid=1923
2015-08-31 20:44:43 UTC - 95.211.189.119 - d75a141z8no9.com - GET /ads.php?sid=1923
2015-08-31 20:44:52 UTC - 37.48.110.162 - j0lodbsnafz.com - GET /ads.php?sid=1923
2015-08-31 20:44:53 UTC - 46.45.137.77 - wmp92v9i6ndn.com - GET /ads.php?sid=1923
2015-08-31 20:44:58 UTC - 95.211.156.140 - dtjqugz5wkc.com - GET /ads.php?sid=1923
2015-08-31 20:45:01 UTC - 46.45.137.77 - wmp92v9i6ndn.com - GET /r.php?s=1ea13648eca37773b3294a16dc6e9bb8
2015-08-31 20:45:02 UTC - 37.48.110.162 - j0lodbsnafz.com - GET /r.php?s=240bacba8c4f7c969f254372206fc4ae
[[Bedep Click-Fraud Traffic Begins and Bedep C2 traffic continues]]

Bonus Angler EK during Bedep Traffic

2015-08-31 20:48:23 UTC - 74.63.253.84 - motivohalstitt.instylefavors.net - GET /civis/search.php?keywords=5i&fid0=27462.5uxmyl703276937x73&

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-08-31 20:41:26 UTC - ETPRO CURRENT EVENTS Possible Angler EK Landing URI Struct Jul 29 M1 T2
2015-08-31 20:41:26 UTC - 192.168.40.14:49194 -> 144.76.143.121:80 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-08-31 20:41:26 UTC - 144.76.143.121:80 -> 192.168.40.14:49194 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015
2015-08-31 20:41:26 UTC - 144.76.143.121:80 -> 192.168.40.14:49197 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015 T2
2015-08-31 20:41:26 UTC - 144.76.143.121:80 -> 192.168.40.14:49194 - ETPRO CURRENT EVENTS Possible Angler EK Landing June 30 2015 M2
2015-08-31 20:41:36 UTC - 144.76.143.121:80 -> 192.168.40.14:49194 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-08-31 20:41:36 UTC - 144.76.143.121:80 -> 192.168.40.14:49194 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (23)
2015-08-31 20:41:36 UTC - 144.76.143.121:80 -> 192.168.40.14:49197 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (11) M2
2015-08-31 20:41:43 UTC - 144.76.143.121:80 -> 192.168.40.14:49197 - ET TROJAN Possible Bedep Connectivity Check
2015-08-31 20:41:44 UTC - 192.168.40.14:49199 -> 96.17.232.70:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-08-31 20:41:48 UTC - 192.168.40.14:49218 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-08-31 20:41:48 UTC - 192.168.40.14:49218 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon 2
2015-08-31 20:42:09 UTC - 192.168.40.14:49218 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-08-31 20:42:09 UTC - 192.168.40.14:49218 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon 2
2015-08-31 20:43:36 UTC - 192.168.40.14:49218 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-08-31 20:43:42 UTC - 192.168.40.14:49240 -> 83.149.127.9:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-08-31 20:44:45 UTC - 192.168.40.14:49240 -> 83.149.127.9:80 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:45 UTC - 192.168.40.14:49242 -> 46.45.137.77:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:46 UTC - 46.45.137.77:80 -> 192.168.40.14:49242 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:46 UTC - 192.168.40.14:49243 -> 37.48.110.162:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:47 UTC - 37.48.110.162:80 -> 192.168.40.14:49243 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:48 UTC - 192.168.40.14:49244 -> 95.211.156.140:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:48 UTC - 95.211.156.140:80 -> 192.168.40.14:49244 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:48 UTC - 192.168.40.14:49245 -> 95.211.189.119:80 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:48 UTC - 192.168.40.14:49241 -> 95.211.189.118:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:48 UTC - 95.211.189.119:80 -> 192.168.40.14:49245 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:55 UTC - 95.211.189.118:80 -> 192.168.40.14:49241 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:56 UTC - 192.168.40.14:49247 -> 46.45.137.77:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:44:56 UTC - 46.45.137.77:80 -> 192.168.40.14:49247 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:44:56 UTC - 192.168.40.14:49246 -> 37.48.110.162:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:45:01 UTC - 37.48.110.162:80 -> 192.168.40.14:49246 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:45:01 UTC - 192.168.40.14:49248 -> 95.211.156.140:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:45:58 UTC - 95.211.156.140:80 -> 192.168.40.14:49248 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:45:58 UTC - 192.168.40.14:49671 -> 95.211.189.118:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:47:00 UTC - 95.211.189.118:80 -> 192.168.40.14:49671 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:47:00 UTC - 192.168.40.14:49705 -> 37.48.110.162:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:48:02 UTC - 37.48.110.162:80 -> 192.168.40.14:49705 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:48:02 UTC - 192.168.40.14:49734 -> 95.211.189.119:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:48:05 UTC - 95.211.189.119:80 -> 192.168.40.14:49734 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:48:05 UTC - 192.168.40.14:49735 -> 46.45.137.77:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:48:09 UTC - 46.45.137.77:80 -> 192.168.40.14:49735 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:48:09 UTC - 192.168.40.14:49736 -> 95.211.156.140:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:48:18 UTC - 95.211.156.140:80 -> 192.168.40.14:49736 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:48:18 UTC - 192.168.40.14:49747 -> 95.211.189.119:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:48:24 UTC - 95.211.189.119:80 -> 192.168.40.14:49747 - ETPRO CURRENT EVENTS Possible Angler EK Landing URI Struct Jul 15 M1 T1
2015-08-31 20:48:24 UTC - 192.168.40.14:49899 -> 74.63.253.84:80 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-08-31 20:48:24 UTC - 74.63.253.84:80 -> 192.168.40.14:49899 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015
2015-08-31 20:48:24 UTC - 74.63.253.84:80 -> 192.168.40.14:49899 - ETPRO CURRENT EVENTS Possible Angler EK Landing June 30 2015 M2
2015-08-31 20:48:24 UTC - 74.63.253.84:80 -> 192.168.40.14:49899 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015 T2
2015-08-31 20:48:33 UTC - 74.63.253.84:80 -> 192.168.40.14:49899 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:48:34 UTC - 192.168.40.14:49917 -> 95.211.189.118:80 - ETPRO TROJAN Bedep Downloading Config Server Response
2015-08-31 20:49:13 UTC - 95.211.189.118:80 -> 192.168.40.14:49917 - ETPRO TROJAN Bedep Downloading Config
2015-08-31 20:49:13 UTC - 192.168.40.14:50443 -> 95.211.156.140:80 - ETPRO TROJAN Bedep Downloading Config Server Response
08/31/2015-13:49:13 UTC - 95.211.156.140:80 -> 192.168.40.14:50443 - ETPRO TROJAN Bedep Downloading Config Server Response

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates