2014-10-02 - ANGLER EK FROM 66.172.27.117 - ASD.BINGEVOMITSYNDROMESEXY.NET

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-02-Angler-EK-flash-exploit.swf
File size:  75.2 KB ( 77010 bytes )
MD5 hash:  ccb4ba9149121353c0424c4027c76328
Detection ratio:  3 / 55
First submission:  2014-09-30 21:50:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5386c90e2bd6acceea7fceca30815bb696567056eeb6a25f764c4737650b5f23/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-02-Angler-EK-malware-payload.exe
File size:  81.2 KB ( 83192 bytes )
MD5 hash:  8f81161ea6fb29fb27f0ec4aecbee177
Detection ratio:  5 / 55
First submission:  2014-10-02 14:02:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2b7351c4975b6df7d05baa53eaf0a47ff7ef3d5a8e3884850aa38838ae256413/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Redirect pointing to Angler EK:

 

Angler EK delivers the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.