2014-02-26 - ANGLER EK DELIVERS GRAFTOR/ZBOT VARIANT

ASSOCIATED FILES:

NOTES:

This is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-02-26-Angler-EK-silverlight-exploit.xap
File size:  53.0 KB ( 54292 bytes )
MD5 hash:  54437862cb93c253e97f7b653917384e
Detection ratio:  0 / 50
First submission:  2014-02-25 01:01:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/

 

MALWARE PAYLOAD

File name:  fegyko.exe
File size:  331.0 KB ( 338944 bytes )
MD5 hash:  0e1baf2546a3cd0544e333715d95ab3d
Detection ratio:  14 / 50
First submission:  2014-02-26 03:50:33 UTC
VirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/
Malwr link: https://malwr.com/analysis/YTFhNWVlNDg3YmMxNGNlNGIyNGNhYjYyMWViOWY0Nzk/


This is the malware payload after it copied itself to a folder
named Xeoram in the AppData\Roaming\ directory.

 

SNORT EVENTS

SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

The infected web page - kaplanbenefits.com/balanced/index.html

 

Successful redirect - www.deacomunicazione.it/distincter/retorted.js

 

Angler EK delivers Silverlight exploit - northerningredients.com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt

 

Angler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh
    northerningredients.com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6

 

Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg
    northerningredients.com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

NOTE: When I tried XOR-ing both versions of the file from the PCAP, they both had the same MD5 hash, but it was different than the hash for a file named fegkyo.exe in the AppData\Roaming\Xeoram folder.  Fegkyo.exe is the exact same size as the files from the PCAP, and it's presumably a copy of the properly deobfuscated malware payload.  When I sent the deobfucated files I extracted from the PCAP to Virus Total and Malwr, they were marked as corrupt.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.