2014-06-02 - ANGLER EK FROM 142.4.206.136 - WEAVERFINCH.SOCIOLIZER.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

ANGLER EK:

 

TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-06-02-Angler-EK-silverlight-exploit.xap
File size:  51.9 KB ( 53117 bytes )
MD5 hash:  54954cdc1a2c040b72588f3645c4a221
Detection ratio:  7 / 51
First submission:  2014-06-04 04:13:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eeb41f4a85a5e5977c2520ba3e5ee6a1dc0e478bdbcf2f6311c66e84c48250bb/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-02-Angler-EK-malware-payload.exe
File size:  152.0 KB ( 155648 bytes )
MD5 hash:  b7993e8196bb6c3022639ee7942d3b20
Detection ratio:  27 / 52
First submission:  2014-05-30 16:18:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/db23f4c2f4275611fdc9a8c9a7efdc87b77029a3fc72f06d7ae4c6e5a8e0775e/analysis/
Malwr link:  https://malwr.com/analysis/MmU3MGYwNDM1YmI4NDE0YWI5ZWYzZmExYjVkMDgwMDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

SNORT EVENTS FOR PCAP FROM MALWR.COM ANALYSIS:

 

HIGHLIGHTS FROM THE TRAFFIC

Everything is very much the same as my last write-up on Angler EK from 2014-05-28 (link).  See that post for more details.

Malicious javascript from the compromised website pointing to the redirect:

 

Callback traffic from sandbox analysis of the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.