2014-10-01 - 32X32 GATE LEADING TO ANGLER EK ON 66.172.27.117 - ASD.CROSSHEADING.US

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

ANGLER EK:

 

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-01-Angler-EK-flash-exploit.swf
File size:  75.2 KB ( 77010 bytes )
MD5 hash:  ccb4ba9149121353c0424c4027c76328
Detection ratio:  3 / 55
First submission:  2014-09-30 21:50:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5386c90e2bd6acceea7fceca30815bb696567056eeb6a25f764c4737650b5f23/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-01-Angler-EK-malware-payload.dll
File size:  168.8 KB ( 172872 bytes )
MD5 hash:  91a5902a8cba2584228a15e7f959c1f9
Detection ratio:  30 / 55
First submission:  2014-09-28 06:06:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41f58c8e4337b445d67a399e7841362a557ccbb866ef3a881638a38667e2b934/analysis/

 

DROPPED FILE:

File name:  DXM_Runtime.pif
File size:  60.0 KB ( 61440 bytes )
MD5 hash:  3b2f182d8df7b8b7ff8c97c2ac039310
Detection ratio:  7 / 55
First submission:  2014-10-01 05:30:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2259b8871b81cbc4c6ee9d69c53453dbb8c6e1081dc2b18a99024e61c2b5bba/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious in page from compromised website:

 

32x32 gate redirecting to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.