2014-05-13 - 32X32 GATE TO ANGLER EK ON 173.212.223.243 - ONE.FDSFGSGDVSD.BIZ

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND 32X32 GATE:

ANGLER EK:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-05-13-Angler-EK-silverlight-exploit.xap
File size:  51.9 KB ( 53163 bytes )
MD5 hash:  92d26a791808a3b25e5fe05a78d3197d
Detection ratio:  0 / 52
First submission:  2014-05-13 14:13:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a9a929587651a369dfab7648437fdc0125b3db6abf6a49a43fbdd80acd26fb69/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-13-Angler-EK-malware-payload.exe
File size:  103.0 KB ( 105472 bytes )
MD5 hash:  572218d0be643ced6f2e83c619a62277
Detection ratio:  1 / 49
First submission:  2014-05-13 14:12:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d35740d437eb413ffff33ef0b6fd98c1d7ddc4157b716f15f2c3ba25b467bbdf/analysis/
Malwr link:  https://malwr.com/analysis/ZGZmODVhMmIwMmE5NDE1NGJkYjAyOTUyNjRhZjk1MmM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Link from the script that generates the pop-up window:

 

Redirect:

 

Angler EK delivers Silverlight exploit:

 

EXE payload after successful exploit:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.