2014-03-23 - ANGLER EK USES FLASH EXPLOIT

ASSOCIATED FILES:

NOTE: I found this traffic while searching for URLs contianing /zyso.cgi? that I'd only seen used by Goon/Infinity EK until now.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-03-23-Angler-EK-flash-exploit
File size:  72.6 KB ( 74311 bytes )
MD5 hash:  cc9a1052ea161719e32cff23bd1575c7
Detection ratio:  0 / 51
First submission:  2014-03-23 04:43:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2ce5d65f759c9b9d7a2e256fc9e7aa47d1c77310f072a0df4ded7e2afcb8269c/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-23-Angler-EK-malware-payload.exe
File size:  120.0 KB ( 122881 bytes )
MD5 hash:  67be52acf9f29f0066a6aa1f57e88d58
Detection ratio:  7 / 51
First submission:  2014-03-23 04:43:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/324b352fb2bff99f4c8cd5064c36f4fcb0938fd070e9708f17723c4e6e6eeb19/analysis/
Malwr link:  https://malwr.com/analysis/Yjg2NTcxMGI1YjI4NDVkOGIyZGEyZmNkMzdhYzE2MzY/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect - 66.96.195.49/zyso.cgi?16

 

Angler EK landing page - e1xguj.makeuhndall.info/ltsavskyc7

 

Angler EK delivers Flash exploit - e1xguj.makeuhndall.info/TU1Sha1WTi0OHBuDoBTk0GKrdH_lBYiPOqk6g0MQgzeRF4Id

 

Flash exploit delivers EXE payload - e1xguj.makeuhndall.info/DAcrgF9nqzYoH8UTS9lwy3DTpt5MnBJ9xTMueFlcxaAE7y-s


NOTE: This malware payload was XOR-ed with the ASCII string: laspfnfd

 

Post-infection callback traffic - receiveoffset.cc/common/man.php

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.