2014-05-23 - ANGLER EK FROM 91.185.215.137 - DGW.TUMIJILPWQ.NET

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

EXAMPLE 1 - ANGLER EK USES SILVERLIGHT EXPLOIT:

 

EXAMPLE 2 - ANGLER EK USES FLASH EXPLOIT:

 

EXAMPLE 3 - ANGLER EK USES JAVA EXPLOIT:

 

EXAMPLE OF POST-INFECTION CALLBACK USING COVERT CHANNELS THROUGH DNS:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-05-23-Angler-EK-silverlight-exploit.xap
File size:  51.2 KB ( 52467 bytes )
MD5 hash:  e2a6c17c6e5f8bf7b8caec89400f7645
Detection ratio:  0 / 53
First submission:  2014-05-16 14:54:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ffc300642bb3d871940fddef6abd8bbe01f5b913fba7c7a4753786f7cf747a4/analysis/

 

FLASH EXPLOIT

File name:  2014-05-23-Angler-EK-flash-exploit.swf
File size:  73.3 KB ( 75052 bytes )
MD5 hash:  0c740eff0467fcab8c985756574751f0
Detection ratio:  0 / 52
First submission:  2014-05-22 12:48:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/493915850b557fabcd6b67b07200433f90ff6d60a2041a247188b4a806effcde/analysis/

File name:  2014-05-23-Angler-EK-flash-exploit-uncompressed.swf
File size:  94.9 KB ( 97157 bytes )
MD5 hash:  688cb62e6d01e74d01031b22064945b2
Detection ratio:  0 / 53
First submission:  2014-05-22 12:50:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/885e5cf6763c58650b5273d26b3278d5192df5da94b381b0bbceee7cfb074730/analysis/

 

JAVA EXPLOIT

File name:  2014-05-23-Angler-EK-java-exploit.jar
File size:  26.2 KB ( 26840 bytes )
MD5 hash:  3de78737b728811af38ea780de5f5ed7
Detection ratio:  18 / 53
First submission:  2014-04-21 21:58:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d7521565cdfe6aec509d09ffd691216b65d99c1688a9ec55cb620db5ddfbae95/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-23-Angler-EK-malware-payload.exe
File size:  131.0 KB ( 134152 bytes )
MD5 hash:  355554e783b77ba536caea59974550be
Detection ratio:  8 / 45
First submission:  2014-05-22 23:34:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2ba7742cde44b1a2f342f99e07a0c7fd3a95910f83f9cf27f254af3162115836/analysis/
Malwr link:  https://malwr.com/analysis/MDhmMDZmMDZhNTM3NDNkNjllOWZiYzQyZWE1ZjVjMTg/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in page from compromised website:

 

Each HTTP GET request for javascript from the compromised website included the same type of malicious code:

 

Redirect:

 

Example 1 - Angler EK delivers Silverlight exploit:

 

Example 1- EXE payload sent after successful Silverlight exploit:

 

Example 2 - Angler EK delivers Flash exploit:

 

Example 2- EXE payload sent after successful Flash exploit:

 

Example 3 - Angler EK delivers Java exploit:

 

Example 3- EXE payload sent after successful Java exploit:

 

Example of the covert post-infection callback traffic using DNS channels:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.