2014-06-03 - ANGLER EK FROM 85.25.43.60 PORT 2980 - JUGOSLAAVIENFISUN.DVDANDGIFTS.CO.ZA

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

ANGLER EK:

 

TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-06-03-Angler-EK-silverlight-exploit.xap
File size:  52.6 KB ( 53913 bytes )
MD5 hash:  5613d0312a0acf3a86f4d427b645dc5e
Detection ratio:  1 / 52
First submission:  2014-06-04 04:16:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92d5995e66e913e97286d436a048de0459e7c21a29b93d7febd1ead880a43963/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-03-Angler-EK-malware-payload.exe
File size:  157.5 KB ( 161280 bytes )
MD5 hash:  942f89a745e22b6d6156b77717eaa14c
Detection ratio:  3 / 51
First submission:  2014-06-03 09:29:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/65c3ec6d48f5b3d9e77b48793461fe689d6110e3dade714a0251c02ae8db35ad/analysis/
Malwr link:  https://malwr.com/analysis/MTU0MDM3ODg4OTc3NGNkYjkxZTU1MTdiYmU5NDkxOTQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

NOTE:  I used tcprewrite to change the port on 85.23.43.60 from 2980 to 80, and I used tcpreplay to generate the Angler EK events.  On a default Security Onion install, you would only see the first event.

 

SNORT EVENTS FOR PCAP FROM MALWR.COM ANALYSIS:

 

HIGHLIGHTS FROM THE TRAFFIC

Callback traffic from sandbox analysis of the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.