Angler EK from 185.117.75.136 sends URSNIF

ASSOCIATED DOMAINS:

  • 185.93.0.33 – ip.iphistory.co.uk – EITEST GATE
  • 85.117.75.136 – keoxr.vzxtau.top – Angler EK LANDING PAGE
  • 128.183.114.107 – nssdc.gsfc.nasa.gov – Ursnif CONNECTION CHECK
  • 109.86.160.183 – andsugpointothervehicle.com – Ursnif POST INFECTION TRAFFIC
  • 188.230.73.160 – andsugpointothervehicle.com – Ursnif POST INFECTION TRAFFIC
  • 176.8.211.57 – missionsprspacemoandhar.com – Ursnif POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST gate redirecting to Java Script “document.location” redirecting to Angler landing page

 

Shown above: Java Script redirect EITEST gate at ip.iphistory.co.uk

 

Shown above: Angler Exploit landing page

 

Shown above: Angler Exploit Kit meta data using Flare (http://www.nowrap.de/flare.html)

 

Shown above: Ursnif post infection traffic depicted by the .bin upload.

 

MALICIOUS PAYLOAD SENT BY ANGLER EK: