2014-05-28 - ANGLER EK AND ANOTHER CRYPTOWALL SAMPLE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

ANGLER EK USES SILVERLIGHT EXPLOIT:

ANGLER EK USES FLASH EXPLOIT (NO INFECTION):

ANGLER EK USES JAVA EXPLOIT:

TRAFFIC FROM MALWR.COM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

CRYPTOWALL TRAFFIC AFTER RUNNING FILE "3.EXE" FROM THE SANDBOX ANALYSIS ON A VM:

 

PRELIMINARY MALWARE ANALYSIS

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SNORT EVENTS FOR THE SANDBOX TRAFFIC (using tcpreplay on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Example of malicious script in page from compromised website:

 

Example of redirect pointing to Angler EK:

 

CryptoWall in action on the infected VM:


1AkJptnuoiQAD3GmHMFHBSMxZ9H2GKJTkB is the same bitcoin address from another CryptoWall infection in my 2014-05-25 blog entry.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.