2014-08-16 - ANGLER EK FROM 188.120.243.32 - 112LBJKXPV.ADWPOBI.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ANGLER EK:

NOTE:  [!] shows where the malware payload was delivered (the same one 3 times).

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2014-08-16-Angler-EK-java-exploit.jar
File size:  26.7 KB ( 27381 bytes )
MD5 hash:  5b7f2db11140f86fa5e85772f75749fe
Detection ratio:  13 / 54
First submission:  2014-08-16 16:18:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2cd84f9b6785bbc2fa10d4d4450f6d9da236d473f12954876a3d8b4b0890ef7e/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-16-Angler-EK-silverlight-exploit.xap
File size:  53.9 KB ( 55145 bytes )
MD5 hash:  c31f5da94fc5e313e2b3a2329a59cbde
Detection ratio:  0 / 54
First submission:  2014-08-16 16:11:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3879cc20b65a37e9eafa5b27103ed7484d0999fdd1560249e3f516054c1b39aa/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-16-Angler-EK-malware-payload.dll
File size:  314.3 KB ( 321848 bytes )
MD5 hash:  62db2cec859a8949acfae6f384563b84
Detection ratio:  5 / 54
First submission:  2014-08-14 22:14:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f18faa8d43002fde37abcf4517615dfbc9191c0835e1b1af18b0ce9b192de09c/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Angler EK landing page and (what I assume is) a CVE-2013-2551 IE exploit that's obfuscated or otherwise encoded:

 

Angler EK sends Silverlight exploit:

 

Angler EK sends Java exploit:

 

Malware payload sent after each successful exploit (CVE-2013-2551 IE exploit, Silverlight and Java):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.