2014-05-07 - 32X32 CHARACTER GATES AND ANGLER EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND 32X32 CHARACTER REDIRECT:

ANGLER EK:

TRAFFIC FROM SANDBOX ANALYSIS OF THE EXE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT (CREATED/MODIFIED 2014-05-06)

File name:  2014-05-07-Angler-EK-silverlight-exploit.xap
File size:  51.8 KB ( 53056 bytes )
MD5 hash:  861f46df5b24bbc2c7369c8aaa666aeb
Detection ratio:  0 / 52
First submission:  2014-05-07 20:57:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/95cc56245e7ba5c4ed803060c71b2bc8e48dee54de56ed7f43a069a345a9cbcd/analysis/

 

FLASH EXPLOIT

File name:  2014-05-07-Angler-EK-flash-exploit.swf
File size:  41.5 KB ( 42513 bytes )
MD5 hash:  e9f0b5be4e7125f0256085fe0415ee85
Detection ratio:  2 / 52
First submission:  2014-05-08 01:16:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d81cb8c0d8cd1c888ed425ec6bf4be7a0fc8057c97092af374630e1579458b3/analysis/

File name:  2014-05-07-Angler-EK-flash-exploit-uncompressed.swf
File size:  70.2 KB ( 71888 bytes )
MD5 hash:  beb148c4f812c2880d6afb025c410994
Detection ratio:  2 / 52
First submission:  2014-05-08 01:17:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/86d69288a18ebf2b1a04f0fb1ab404768fabc1935ab7792e163432fb35d351a6/analysis/

 

MALWARE PAYLOAD (SAVED AS A DLL IN THE USER'S APPDATA\LOCAL\TEMP FOLDER)

File name:  2014-05-07-Angler-EK-malware-pyaload.exe
File size:  62.9 KB ( 64360 bytes )
MD5 hash:  1e502579936d80f217bf77ee765924a3
Detection ratio:  6 / 52
First submission:  2014-05-08 01:10:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/06a428dd5a543e67f25b02ccd7efa77d8f2cd7fe67bbfe2184d2023b16aa152c/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

If you come upon the site, and it's suspicious of (for whatever reason), it will not include the malicious code:

 

Here's what the malicious script looked like for my pop-up window/redirect:

 

Here's what it looked like in the browser:

 

The redirect traffic after clicking one of the buttons:

 

In this case, Angler EK first delivered the Flash exploit:

 

Then it delivered the Silverlight exploit:

 

In the same TCP stream as the Silverlight exploit, we see the malware payload.  It was stored in the

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.