2014-06-24 - ANGLER EK FROM 149.3.138.235 - POSTINGDROMERINGSLAND.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

ANGLER EK:

POST-INFECTION TRAFFIC:

NOTES: These post-infection DNS queries generated by the malware used Google DNS at 8.8.8.8.  The queries were repeated several times.

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-06-24-Angler-EK-java-exploit.jar
File size:  28.0 KB ( 28721 bytes )
MD5 hash:  d9905f9daf40cc3ea7c0f4cf69eeb716
Detection ratio:  17 / 54
First submission:  2014-06-20 12:38:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/959d3ff72d416c2130cfa38e036909c7eb3154f3fcd57bce9b9f1e0522999c07/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-24-Angler-EK-Silverlight-exploit.xap
File size:  51.5 KB ( 52714 bytes )
MD5 hash:  e562283bcb93f4ef9aaf89fa481d7ab5
Detection ratio:  0 / 54
First submission:  2014-06-24 16:40:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d0a3ebd6e587ac15f2ccaff31b27dd51a660ca4327bcb4a026d2c7397aa20c5/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-24-Angler-EK-malware-payload.exe
File size:  252.0 KB ( 258048 bytes )
MD5 hash:  0421d581a8be33099b5b140bbd2d97f0
Detection ratio:  6 / 54
First submission:  2014-06-24 13:57:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a66f4c3292ec70868548891a5933c36f076fbaac6329c4fce54bbdb572e3f511/analysis/
Malwr link:  https://malwr.com/analysis/MmRkNDUyMjliODM0NGRkMjg1YjY1NDFlNmUzMDIxZWM/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

NOTE: These Snort evenets were taken from Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.