2014-04-29 - ANGLER EK FROM 66.96.246.151 - UGWPC.BIMOWAMOKYKPPS.NET

ASSOCIATED FILES:

NOTES:

Earlier this month on 2014-04-10, this same compromised website generated Nuclear EK traffic.  Today, it's Angler EK.  Here's the Angler EK traffic I've seen so far:

NOTE: Items marked [!] include other prefixes for the domain name.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE

REDIRECT CHAIN

ANGLER EK

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-29-Angler-EK-silverlight-exploit.xap
File size:  51.8 KB ( 52994 bytes )
MD5 hash:  8c1b2cda4994e251be81ce8f50369e8a
Detection ratio:  0 / 51
First submission:  2014-04-29 02:22:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2927c0dd524e69c5aa332096d4cb597ad872d3c2b84c5389564997469715c1c2/analysis/

 

FLASH EXPLOIT

File name:  2014-04-29-Angler-EK-Flash-exploit.swf
File size:  40.4 KB ( 41335 bytes )
MD5 hash:  37401c46cf15d1747aa66c10f8f046e9
Detection ratio:  1 / 50
First submission:  2014-04-29 02:24:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a7dfd5ae6ae8efec45cf4b0459396994145226ba3828a93f43a13c76257c8147/analysis/

FLASH EXPLOIT UNCOMPRESSED

File name:  2014-04-29-Angler-EK-Flash-exploit-uncompressed.swf
File size:  71.5 KB ( 73264 bytes )
MD5 hash:  535a30968484ee63d8c890f20b237a27
Detection ratio:  1 / 50
First submission:  2014-04-29 02:24:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c8d254bde552246ae30a90c5075253ca26e0b1fd6ea41cf47891d380bfcfb256/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-28-Angler-EK-malware-payload.dll
File size:  71.5 KB ( 73216 bytes )
MD5 hash:  58b9821f8667741e816416500dd60e79
Detection ratio:  2 / 51
First submission:  2014-04-29 02:25:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97df15ec81b84b03b1cf8b3bd4ecae4d84ebffd1f538772e2cb47ffe364b0bd3/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript from index page of infected website:

 

Redirect:

 

Angler EK delivers Flash exploit:

 

Angler EK delivers Silverlight exploit:

 

Silverlight exploit delivers malware payload:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.