2014-09-09 - (FILELESS INFECTION BY) ANGLER EK FROM 46.105.140.56 - TSEVID-SYNONYMI.JUSTDANCEATSEA.COM:8080

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC TO LEGITIMATE DOMAINS:

NOTE: These appear to be checking for location (www.earthtools.org) and connectivity.  HTTP POST requests to the European Central Bank home page (www.ecb.europa.eu) sent zero bytes of post data and returned XML data on exchange rates.  There was also traffic to www.google.com, but only saw several 3-way handshakes with the connection immediately FIN-ed by the server.  Examine the pcap file for more details.

 

POST-INFECTION TRAFFIC TO MALWARE DOMAINS:

NOTE: Also saw numerous DGA-style domains that didn't resolve.  Examine the pcap file for more details.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-09-Angler-EK-flash-exploit.swf
File size:  75.3 KB ( 77068 bytes )
MD5 hash:  67ca9a31f220bc7b68f203c07ad668b9
Detection ratio:  1 / 55
First submission:  2014-09-08 14:58:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-09-Angler-EK-java-exploit.jar
File size:  28.1 KB ( 28768 bytes )
MD5 hash:  b7b59e710aca39073c67cda53871111e
Detection ratio:  14 / 53
First submission:  2014-09-04 08:25:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c6a5c9154b088c1ae8ccaeb7b987ae560a5325ab389f994619c92bc71610f17b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-09-Angler-EK-malware-payload.dll
File size:  168.9 KB ( 172912 bytes )
MD5 hash:  fc1e3c8bde2558636c8fc82de9bb38e9
Detection ratio:  2 / 54
First submission:  2014-09-09 15:22:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a098ef3e4d3cae52eaf32d0fe96400e91bf5cf29affa181d509d54008261e6f9/analysis/

 

DROPPED MALWARE 1 OF 2:

File name:  2014-09-09-Angler-EK-dropped-malware-1-of-2.exe
File size:  102.0 KB ( 104448 bytes )
MD5 hash:  bbf0706b0591053cdedfcd5f6dfb19d6
Detection ratio:  4 / 53
First submission:  2014-09-09 15:23:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2df550dc4ef794692eea171420658827804b2b93cb39fc0b3990f75b6d1b29c1/analysis/

 

DROPPED MALWARE 2 OF 2:

File name:  2014-09-09-Angler-EK-dropped-malware-2-of-2.exe
File size:  490.5 KB ( 502284 bytes )
MD5 hash:  ab6c0871794252ab3f6a2c97d87c9857
Detection ratio:  4 / 55
First submission:  2014-09-09 15:23:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee549fef895947a50641c96491c1e6e13c4bcd3c9f0eaa95ad5e5593a65c673e/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.