2014-11-10 - ANGLER EK FROM 94.23.50.217 - POMPEZNE1-BUDDH.SEEK4AUTOS.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMRPOMISED WEBSITE:

GATE/REDIRECT:

ANGLER EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-10-Angler-EK-flash-exploit.swf
File size:  85.3 KB ( 87356 bytes )
MD5 hash:  eb91cb6ece528db741d1a7cc7c767250
Detection ratio:  1 / 55
First submission:  2014-11-07 20:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b6330cfa21822aa08fb4825f50a4126cbbe04a7f3aebd7c54379888e420e74c1/analysis/

 

JAVA EXPLOIT

File name:  2014-11-10-Angler-EK-java-exploit.jar
File size:  28.1 KB ( 28769 bytes )
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  26 / 55
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-10-Angler-EK-malware-payload.dll
File size:  256.0 KB ( 262144 bytes )
MD5 hash:  e80880c6a8ed62a9a81251505303ffdc
Detection ratio:  5 / 50
First submission:  2014-11-10 17:06:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08/analysis/


Same payload sent 3 times...

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

HIGHLIGHTS FROM THE TRAFFIC

Angler EK landing page:

 

Angler EK sends Flash exploit:

 

Anger EK sends Java exploit:

 

EXE payload sent after successful IE, Flash, and Java exploits:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.