2014-07-12 - ANGLER EK FROM 192.200.105.130 - THREE.PASERTSION.CO.UK

ASSOCIATED FILES:

NOTES:

 


Session list of the infection traffic from Fiddler.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

ANGLER EK:

POST-INFECTION TRAFFIC FROM THE INFECTED VM:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-07-12-Angler-EK-java-exploit.jar
File size:  29.2 KB ( 29854 bytes )
MD5 hash:  974de20e097f1f07d4a9377e48a93459
Detection ratio:  9 / 54
First submission:  2014-07-12 23:47:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cac9f2356addab680e380b86249dd5f2f9bdf1784b02e280c120d1893511234e/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-12-Angler-EK-silverlight-exploit.xap
File size:  52.0 KB ( 53220 bytes )
MD5 hash:  70ac580aab2d6e93a0cef61e16fcdbaa
Detection ratio:  1 / 53
First submission:  2014-07-12 00:24:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/196f88d93e4fe11d19467b5d947da82ea1505637da3b5498d82942519f4e4112/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-12-Angler-EK-malware-payload.exe
File size:  42.0 KB ( 43008 bytes )
MD5 hash:  1a542415ab7bc0112d7b28def8dcab4f
Detection ratio:  4 / 53
First submission:  2014-07-12 23:47:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7ed07a2fbde33793720f513f9ad7dc643ff690beddf621a33a05493345744247/analysis/
Malwr link:  https://malwr.com/analysis/NzMwYmVkNjNmNWJiNDI0NDk4MTIzNGMzYTg0ZTg4ZmY/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

NOTE: These Snort events were taken

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website that points to the redirect:

 

Redirect pointing to Angler EK landing page:

 

Angler EK sends Silverlight exploit:

 

Angler EK sends obfuscated malware payload after Silverlight exploit:

 

Angler EK sends Java exploit:

 

Angler EK sends obfuscated malware payload after Java exploit:

 

Malware callback traffic from the infected VM:

 

Callback traffic to TCP port 53 from the Malwr.com sandbox analysis:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.