2014-10-06 - ROTATOR GENERATES ANGLER EK ON 5.135.230.183 7DWS8YZ0K2.SDIOUVB.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ROTATOR AND ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-06-Angler-EK-flash-exploit.swf
File size:  75.6 KB ( 77368 bytes )
MD5 hash:  2e77d618382e1420313e9f06047e1e61
Detection ratio:  1 / 54
First submission:  2014-10-06 10:50:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb19baf6a4b65534bfafdb72694967290d6d5f60bd0c4ddbd282f25b878b07d3/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-06-Angler-EK-malware-payload.dll
File size:  169.0 KB ( 173008 bytes )
MD5 hash:  f567643c24d8ca31741172135a47ec61
Detection ratio:  19 / 53
First submission:  2014-10-06 20:06:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e8465f9af2398605658f54bb3529de67f0c242245fb10979c5a0b1cb419b5b2d/analysis/
Malwr link:  https://malwr.com/analysis/N2YxZTc0ODFmZTk3NGM4ZTk5Y2U2MDljZWQ3NDY4ODk/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Rotator pointing to Angler EK:

 

Angler EK delivering malware payload.  The shellcode and malicious binary are sent together, XOR-ed with the ASCII string: adR2b4nh

 

Deobfuscate the payload, and you can see where the shellcode ends and the malicious binary begins:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.