2014-05-04 - ANGLER EK FROM 209.159.153.186 - THREE.MDFCKEL.BIZ

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

FIRST EXAMPLE: ANGLER EK - GLUPTEBA PAYLOAD

SECOND EXAMPLE: ANGLER EK - BLOCRYPT PAYLOAD

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-04-Angler-EK-flash-exploit.swf
File size:  41.3 KB ( 42338 bytes )
MD5 hash:  ad199ca7aced985667a5d4d8fe3f602a
Detection ratio:  3 / 52
First submission:  2014-05-02 15:36:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef18d21e51863e2de4c27327c50c6ccde6ba6aee28bfcc0b768c6dfde0652c70/analysis/

File name:  2014-05-04-Angler-EK-flash-exploit-uncompressed.swf
File size:  70.0 KB ( 71657 bytes )
MD5 hash:  a47877b092e6b18ca3b09aaaf1070b57
Detection ratio:  2 / 52
First submission:  2014-05-05 03:17:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0cf82d9d581b9c32a42069ab1cd97edaa92a90e069735845d6204b05a2d0fd37/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-04-Angler-EK-silverlight-exploit.xap
File size:  51.4 KB ( 52655 bytes )
MD5 hash:  255df5955eefb9df86974da8c9fcb35b
Detection ratio:  2 / 52
First submission:  2014-05-05 03:18:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c445ce05db65eed21a4790f9c9951777e36cfa202d3f1c597ad7f5d643906626/analysis/

 

MALWARE PAYLOAD: GLUPTEBA

File name:  2014-05-04-Angler-EK-malware-payload-01.exe
File size:  75.3 KB ( 77105 bytes )
MD5 hash:  76b839eae030b2b920eb31be0e44399b
Detection ratio:  7 / 51
First submission:  2014-05-05 02:17:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e41bd5e64c3617876fe1ac9d7dcb3079a6a64b6ca6a260257f4992d8c79f7a3b/analysis/

Registry key changed:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name:  Google Update
Value:  C:\Users\User-1\AppData\Local\Google\Update\gupdate.exe /app 2B42CDC8B1EDBFEC23AA442F8F7EF3D9
Name:  NvUpdService
Value:  C:\Users\User-1\AppData\Local\NVIDIA Corporation\Update\daemonupd.exe /app 2B42CDC8B1EDBFEC23AA442F8F7EF3D9
NOTE: Both of these EXE files have the same hash--they are the same piece of malware.
File name:  2014-05-04-Angler-EK-dropped-malware-01.exe
File size:  126.0 KB ( 129024 bytes )
MD5 hash:  d83665e11921a3e0525e1d4d9e1d04f1
Detection ratio:  3 / 51
First submission:  2014-05-04 13:30:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ec6ef3dc932ca1e74a18b4edb214e128ca59beba5ec0f2eec8957399c31ebd38/analysis/

 

MALWARE PAYLOAD: BLOCRYPT

File name:  2014-05-04-Angler-EK-malware-payload-02.exe
File size:  149.5 KB ( 153088 bytes )
MD5 hash:  4ba6b80b42f487492afd12b98de7903c
Detection ratio:  4 / 51
First submission:  2014-05-05 02:17:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/32a9fa746519d36dc58717cf111e7ea8d993093ea7100cd8d5cbb881e7351656/analysis/

Registry key changed:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name:  CryptoUpdate
Value:  C:\Windows\system32\rundll32.exe "C:\Users\User-1\AppData\Roaming\Microsoft\Crypto\RSA\cert_v44_1.tpl",Crypt
File name:  2014-05-04-Angler-EK-dropped-malware-02.dll
File size:  103.0 KB ( 105472 bytes )
MD5 hash:  ca2aaeca0a13cd503a2d495da27637ad
Detection ratio:  6 / 52
First submission:  2014-04-05 08:56:34 UTC (first submitted over 4 weeks ago)
VirusTotal link:  https://www.virustotal.com/en/file/71905f51226e9e1436776a3c2445a241550febf8c46d896f22d60afb73bb00de/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR ANGLER EK - GLUPTEBA PAYLOAD (from Sguil on Security Onion):

 

SNORT EVENTS FOR ANGLER EK - BLOCRYPT PAYLOAD:

 

HIGHLIGHTS FROM THE TRAFFIC

2014-05-04-Angler-EK-traffic-01.pcap - Glupteba checkin:

 

2014-05-04-Angler-EK-traffic-01.pcap - Glupteba traffic on TCP port 444:

 

2014-05-04-Angler-EK-traffic-01.pcap - Click fraud style traffic seen with Glupteba payload:

 

2014-05-04-Angler-EK-traffic-02.pcap - Some of the Blocrypt traffic on TCP port 777:

 

2014-05-04-Angler-EK-traffic-02.pcap - Click fraud style traffic seen with Blocrypt payload:

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.