2014-10-30 - 32X32 GATE LEADS TO ANGLER EK - NO FAKE POP-UP AS SEEN BEFORE WITH THESE 32X32 GATES

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

FLASH FILE AND 32X32 GATE:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-30-Angler-EK-flash-exploit.swf
File size:  85.3 KB ( 87352 bytes )
MD5 hash:  23812c5a1d33c9ce61b0882f860d79d6
Detection ratio:  3 / 54
First submission:  2014-10-29 10:25:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d29e6e210483817f5a203f8952f9add016bd334d96cd408021a22d8ed43fd66/analysis/

 

JAVA EXPLOIT

File name:  2014-10-30-Angler-EK-java-exploit.jar
File size:  28.1 KB ( 28769 bytes )
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  14 / 53
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-30-Angler-EK-malware-payload.dll
File size:  168.9 KB ( 172944 bytes )
MD5 hash:  ad666429dfe01397cb331ae4a1aa53bb
Detection ratio:  23 / 53
First submission:  2014-10-30 15:14:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c81e1d4550d451c8140c9d4c94fd13ef1886c1aee26f914b9da541a7b3ffd25/analysis/
Malwr.com:  https://malwr.com/analysis/MjIwODUyZTMzN2QzNDdhYzljOTU4Yjc4MjBkMjlmM2U/

 

FOLLOW-UP MALWARE

File name:  msiexec.exe
File size:  308.5 KB ( 315904 bytes )
MD5 hash:  4adbf26312d2396def56939fbb204a05
Detection ratio:  3 / 53
First submission:  2014-10-30 15:17:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/15f2f44137fdd1d0f754a37ae3ad807fc47daed45f9c7effc5cab200fa4a22b8/analysis/
Malwr.com:  https://malwr.com/analysis/YjlmODViZDEzMjk2NDJlZWI3OTM3NzZiMmE3YTkyMDQ/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Flash file and 32x32 gate redirecting to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.