Notes
  • Angler EK sending Bedep
  • No malware this time, just a PCAP and info
PCAP and Malware
Compromised Domain and Redirect

2015-11-02 19:09:22 UTC - 208.113.241.82 - www.jmmklanduselaw.com - GET /
2015-11-02 19:09:27 UTC - 188.94.248.211 - www.brauer-augenoptik.de - GET /tmp/theme-index.php

Angler EK Traffic

2015-11-02 19:09:29 UTC - 86.105.235.205 - zaz2n.cneu2sv5k.space - GET /forums/index.php?PHPSESSID=3a13&action=4l.5u148286d1sh7
2015-11-02 19:09:43 UTC - 86.105.235.205 - zaz2n.cneu2sv5k.space - GET /answer.dwt?move=&road=cUh0pG3&raise=gVrYFWU9mH&religious=&rate=zi94&student=PIRW8OuVO6&exist=&ago=cWf&mile=&fine=q1-qgeqfFL&why=jLGF

Post-Infection Bedep Traffic

2015-11-02 19:09:47 UTC - 23.214.180.145 - www.ecb.europa.eu - GET /stats/eurofxref/eurofxref-hist-90d.xml?4a9d146ae194ca47a94cf71e820156bc
2015-11-02 19:09:50 UTC - 107.150.171.184 - jcxukbcdillehw.com - POST /index.php
2015-11-02 19:10:10 UTC - 107.150.171.184 - jcxukbcdillehw.com - POST /poll.php
2015-11-02 19:10:11 UTC - 107.150.171.184 - jcxukbcdillehw.com - POST /include/class_dm_groupmessage.php

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-11-02 19:09:35 UTC - 192.168.122.89:49186 -> 86.105.235.205:80 - ETPRO CURRENT EVENTS Possible Angler EK Landing URI Struct Aug 5 M1 T1
2015-11-02 19:09:35 UTC - 86.105.235.205:80 -> 192.168.122.89:49186 - ETPRO CURRENT EVENTS Angler EK Landing June 16 2015 M5
2015-11-02 19:09:36 UTC - 86.105.235.205:80 -> 192.168.122.89:49186 - ETPRO CURRENT EVENTS Angler EK Landing June 1 2015 M2
2015-11-02 19:09:44 UTC - 86.105.235.205:80 -> 192.168.122.89:49189 - ETPRO CURRENT EVENTS Possible Angler EK Payload June 16 2015 M2
2015-11-02 19:09:44 UTC - 86.105.235.205:80 -> 192.168.122.89:49189 - ET CURRENT EVENTS Angler EK encrypted payload Oct 19 (4)
2015-11-02 19:09:47 UTC - 192.168.122.89:49190 -> 23.214.180.145:80 - ET TROJAN Possible Bedep Connectivity Check
2015-11-02 19:09:50 UTC - 192.168.122.89:49191 -> 107.150.171.184:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-11-02 19:10:11 UTC - 192.168.122.89:49191 -> 107.150.171.184:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-11-02 19:10:11 UTC - 192.168.122.89:49191 -> 107.150.171.184:80 - ET TROJAN Bedep HTTP POST CnC Beacon 2
2015-11-02 19:10:11 UTC - 192.168.122.89:49191 -> 107.150.171.184:80 - ET TROJAN Bedep HTTP POST CnC Beacon
2015-11-02 19:10:11 UTC - 192.168.122.89:49191 -> 107.150.171.184:80 - ET TROJAN Bedep HTTP POST CnC Beacon 2

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates