2014-07-28 - ANGLER EK FROM 66.96.246.143 - 02S.YLUKODORSAIEAQL.ORG

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ANGLER EK:

 

TRAFFIC FROM SANDBOX ANALYSIS USING WINDOWS 7:

NOTE: In the Windows 7 sandbox analysis, all TCP connection reset by the client (not the server).  For example:

 

POST-INFECTION TRAFFIC FROM SANDBOX ANALYSIS USING WINDOWS XP:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-07-28-Angler-EK-java-exploit.jar
File size:  29.2 KB ( 29896 bytes )
MD5 hash:  7a0eba050245fbb3f9d1985686a39ba8
Detection ratio:  14 / 54
First submission:  2014-07-29 02:44:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a5f9012fd513c4210a189df9924516b086dd5b264b976c3aa61c30d1c7568faf/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-28-Angler-EK-silverlight-exploit.xap
File size:  52.0 KB ( 53280 bytes )
MD5 hash:  e0950b06e7f01ffcd6a56b809cc68f28
Detection ratio:  0 / 53
First submission:  2014-07-29 02:44:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/002a5f7b5ee8d1fc983fee2b320843acecab411ce7b9588ebbc44695ee276846/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-28-Angler-EK-malware-payload.exe
File size:  642.5 KB ( 657920 bytes )
MD5 hash:  c0d1f083cb7e6b0cf501e11f5454bd05
Detection ratio:  4 / 53
First submission:  2014-07-28 23:02:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/edbea251a734530925697f4e364810e87b1fd7d1a26d35f2d032e43e8ffce5e1/analysis/

 

FOLLOWUP MALWARE (BITCOIN MINER) FROM WINDOWS XP SANDBOX ANALYSIS:

File name:  9152a9aaed2e492bf7a4f74121e6233f.exe
File size:  1002.5 KB ( 1026588 bytes )
MD5 hash:  9152a9aaed2e492bf7a4f74121e6233f
Detection ratio:  21 / 54
First submission:  2014-07-19 13:18:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/561ec353ddac01d67968660c023768ba337321dd355f3b54a8498cd878a6a98b/analysis/
Malwr link:  https://malwr.com/analysis/OWYyNmQ0NTViYzMyNDNlMzg1OTk5ODEzYjM4MTNjYjI/


In the sandbox analysis, this file was saved as: C:\Documents and Settings\Username\Local Settings\Temp\6.tmp

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

NOTE: From the Windows XP sandbox analysis, I saw multiple events for Trojan.Win32.Qadars from the ET PRO and Sourcefire VRT rulesets:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.