2014-04-22 - ANGLER EK FROM 69.39.239.233 (TRI-CITYDRYWALL.COM) AND 23.110.194.99 (PARTICLEHERO.COM)

ASSOCIATED FILES:

ASSOCIATED DOMAINS

NOTES:

 

INFECTION TRAFFIC

VM configuration:  Windows 7 32-bit SP1, IE 8, Java 6 update 25, Flash 11.8.800.94, Silverlight 4.0.60531.0
Result:  Malware payload delivered, probably through MSIE exploit.  Silverlight exploit sent after malware was delivered.
NOTE:  malware payload obfuscated - XOR-ed with ASCII string: adb234nh

Sguil events from Security Onion:

 

VM configuration:  Windows 7 64-bit SP1, IE 10, Java 7 update 13, Flash 12.0.0.38, Silverlight 5.1.10411.0
Result:  Malware payload delivered after EK sent Flash and Silverlight exploits
NOTE:  malware payload obfuscated - XOR-ed with ASCII string: aldonjfg

Sguil events from Security Onion:

 

VM configuration:  Windows 7 64-bit SP1, IE 10, Java 7 update 17, Silverlight 5.1.10411.0
Result:  Flash exploit was still sent, even though I uninstalled Flash before the exploit traffic.  Silverlight exploit delivered the malware.
NOTE:  DLL payload obfuscated - XOR-ed with ASCII string: aldonjfg

Sguil events from Security Onion:

 

VM configuration:  Windows 7 64-bit SP1, IE 10, Java 7 update 21
Result:  Flash exploit was still sent, even though I uninstalled Flash before the exploit traffic.  Java exploit delivered the malware.
NOTE:  DLL payload obfuscated - XOR-ed with ASCII string: 01hdutnf

Sguil events from Security Onion:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-22-Angler-EK-Silverlight-exploit.xap
File size:  51.6 KB ( 52820 bytes )
MD5 hash:  44ea0f167b5e3e81e533139b753ee8e2
Detection ratio:  1 / 51
First submission:  2014-04-22 05:17:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/295c9332ac8d5532560903b56dc8ee33421db10c1f641c1cf0b4ad2d2a028765/analysis/

 

JAVA EXPLOIT

File name:  2014-04-22-Angler-EK-Java-exploit.jar
File size:  26.2 KB ( 26840 bytes )
MD5 hash:  3de78737b728811af38ea780de5f5ed7
Detection ratio:  13 / 51
First submission:  2014-04-21 21:58:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d7521565cdfe6aec509d09ffd691216b65d99c1688a9ec55cb620db5ddfbae95/analysis/

 

FLASH EXPLOIT

File name:  2014-04-22-Angler-EK-Flash-exploit.swf
File size:  40.4 KB ( 41331 bytes )
MD5 hash:  9d4b26217feda05dbe29766a7eb0a4f1
Detection ratio:  0 / 51
First submission:  2014-04-22 05:17:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/efa83cd3e85fdac271108fcb97ad3396179a542ed61a694d874d516701dadfa0/analysis/

FLASH EXPLOIT UNCOMPRESSED

File name:  2014-04-22-Angler-EK-Flash-exploit-uncompressed.swf
File size:  71.6 KB ( 73280 bytes )
MD5 hash:  eb3ae1d4f0ffc637997ebc9febc81d37
Detection ratio:  0 / 51
First submission:  2014-04-22 05:21:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/25f9c5e2a385843c34d5c974939a0342a7395b723f1322e26a990bf5355282de/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-22-Angler-EK-malware-payload.dll
File size:  182.1 KB ( 186449 bytes )
MD5 hash:  3f2d9ce22236e200e2aa0cf070fa1cf7
Detection ratio:  5 / 50
First submission:  2014-04-22 04:59:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/be04f69a7bec4664c1470639e2b1f48c17761cc17b6a139f097cd64bdc6896e0/analysis/
Malwr link:  https://malwr.com/analysis/MzhiZThiMDU0MzQ2NGFhMTk1Y2Q4ZTRjMTMxNmNkNWQ/

 

OTHER NOTES

I stumbled onto the redirects to Angler EK when looking through urlquery.net.  Once I realized what I had, I searched for the IP address on urlquery.net and found the following:

 

The redirects are both javascript URLs  I tried going to one of the domains directly and got a file to download:

 

A quick check shows it's script with an iframe:

 

I downloaded the files, changed the file extension to HTML, and opened them in the VM.  The script changes periodically--about every 10 minutes, I think.  You only get one try--after you do this once, you'll get an empty file if you try again.  I had to proxy through different IP addresses to get the four infection chains for this blog entry.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.