2014-04-28 - ANGLER EK FROM 85.10.220.153 (FUMINEXYVEQCCS.COM and SKWOSH.EU)

ASSOCIATED FILES:

NOTES:

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS

 

ANGLER EK USING A FLASH EXPLOIT:

Snort events from Security Onion:

 

ANGLER EK USING A JAVA EXPLOIT:

Snort events from Security Onion:

 

ANGLER EK USING A SILVERLIGHT EXPLOIT:

Snort events from Security Onion:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-28-Angler-EK-silverlight-exploit.xap
File size:  51.9 KB ( 53132 bytes )
MD5 hash:  c1e4e012316e52508bb03eab7f8ee581
Detection ratio:  0 / 49
First submission:  2014-04-28 05:37:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1a238d452f3a5dbe6a6fa98f0e84146755a0ac7133e4315ee895b2797b68170d/analysis/

 

JAVA EXPLOIT (same as seen on 2014-04-22)

File name:  2014-04-28-Angler-EK-java-exploit.jar
File size:  26.2 KB ( 26840 bytes )
MD5 hash:  3de78737b728811af38ea780de5f5ed7
Detection ratio:  15 / 51
First submission:  2014-04-21 21:58:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d7521565cdfe6aec509d09ffd691216b65d99c1688a9ec55cb620db5ddfbae95/analysis/

 

FLASH EXPLOIT

File name:  2014-04-28-Angler-EK-flash-exploit.swf
File size:  72.8 KB ( 74579 bytes )
MD5 hash:  237a3fc1b59b79514c475adeca943556
Detection ratio:  0 / 51
First submission:  2014-04-28 04:22:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e07dc85732b5ef81d7640ad4b36bcb64344e3fa30719620afedd70cace9b5823/analysis/

FLASH EXPLOIT UNCOMPRESSED

File name:  2014-04-28-Angler-EK-flash-exploit-uncompressed.swf
File size:  96.1 KB ( 98449 bytes )
MD5 hash:  ef398b172e1598c71121ebc65d77cf46
Detection ratio:  0 / 50
First submission:  2014-04-28 06:05:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2ed559d33578421e1d86e828d224e617ca3772c9c5b81e08db992ecabd852003/analysis

 

MALWARE PAYLOAD

File name:  2014-04-28-Angler-EK-malware-payload.dll
File size:  476.0 KB ( 487424 bytes )
MD5 hash:  013df9039ca8026e43c817c5cc182246
Detection ratio:  10 / 51
First submission:  2014-04-28 05:36:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/056355fc687789a621e54c75262213753ed1c4c192e4bf313bd5c797df3670ba/analysis/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.