2014-09-26 - 32X32 GATE TO ANGLER EK ON 162.248.243.78 - QWE.TRIBUTARYKAMARUPAN.US

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

32X32 GATE & ANGLER EK:

 

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-26-Angler-EK-flash-exploit.swf
File size:  75.3 KB ( 77062 bytes )
MD5 hash:  3bb7e6d79427d1292bbea878dfcd374d
Detection ratio:  1 / 55
First submission:  2014-09-25 07:53:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7dd2e7c9ea04c0dfd7630ce063fb1efea55f97b7e5779f22ad165e777b4b3a99/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-26-Angler-EK-malware-payload.dll
File size:  169.0 KB ( 173008 bytes )
MD5 hash:  fdc0b0a00d538baa62e715720f87ca61
Detection ratio:  18 / 49
First submission:  2014-09-26 16:05:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cc89927c34ce6f2e239809b609f8d4d2eec07a455731919ea94709a8aa0467ca/analysis/

 

DROPPED MALWARE:

File name:  qaty.exe
File size:  284.5 KB ( 291328 bytes )
MD5 hash:  92235be8cb3816e15ea608a492ae1fb7
Detection ratio:  3 / 55
First submission:  2014-09-26 16:06:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d9890fa2f01cfd5872ff0598dd90dc4b0dae36ef4ce1de9665387bc3a50e6fb/analysis/

NOTE: The same binary was also stored as a hidden file at:
C:\ProgramData\Windows Genuine Advantage\{34320C46-8F7C-44A3-97EB-553B2E4E3FF4}\msiexec.exe

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (no including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious in page from compromised website:

 

Redirect pointing to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

An example of callback traffic from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.