2014-06-20 - 32X32 GATE TO ANGLER EK ON 107.181.246.213 - L7QRZ.HONIGIWACE.INFO

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND 32X32 GATE:

ANGLER EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-20-Angler-EK-java-exploit.jar
File size:  29.2 KB ( 29867 bytes )
MD5 hash:  cf0f7176f40114ee288d7dd4599e926e
Detection ratio:  9 / 53
First submission:  2014-06-21 00:35:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f4b35756b9f6ea204ca4ff9f69b0df1ec350033e79eb0d00b384443643488254/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-20-Angler-EK-silverlight-exploit.xap
File size:  51.5 KB ( 52690 bytes )
MD5 hash:  98119bc927fe32313a87d6b808a29539
Detection ratio:  3 / 54
First submission:  2014-06-12 12:51:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ae82bd0a8eee6d0273d121008dc0968344fcac78bd62ea371178c1e8a1a5017/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-20-Angler-EK-malware-payload.exe
File size:  264.0 KB ( 270336 bytes )
MD5 hash:  7cde5ff3c884e019e6d718cbc4029f14
Detection ratio:  9 / 54
First submission:  2014-06-21 00:36:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6c2ecb7bf4130a76179b249c5f227069aa3096d9bfcfd52c6f7b9c3d0bf8dd4f/analysis/
Malwr link:  https://malwr.com/analysis/ZDhlMjk3M2E2YWVjNGRjNWE2ZTdjY2Y0M2E4OTQ4Yjk/

 

FOLLOW-UP MALWARE

File name:  run.exe
File size:  577.5 KB ( 591360 bytes )
MD5 hash:  001bf7b9889d7115baf5ca0206ddfd7e
Detection ratio:  21 / 54
First submission:  2014-06-21 00:36:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/529d49f591cc1558705e0b5f6da1f193d75d693ec432c50bad5e5ddf1e036204/analysis/
Malwr link:  https://malwr.com/analysis/YzNkZGQ0MDM2M2Y4NDFlY2EwMDlhMTc1Y2FjOTBkNTI/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.