2014-11-14 - ANGLER EK FROM 131.72.138.141 - ASD.SONGKILLERBONG.RU

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

32 CHARACTER BY 32 CHARACTER GATE & ASSOCIATED FLASH FILE:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-11-14-Angler-EK-flash-exploit.swf
File size:  43.4 KB ( 44474 bytes )
MD5 hash:  fcf12da3baabc7f408c536d7e04692fb
Detection ratio:  1 / 53
First submission:  2014-11-13 22:09:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9acbf49b990d2915a57cbd0faded2c7f75a7b4e7732860db44aa3e376e2289c7/analysis/

 

MALWARE PAYLOAD:

File name:  2014-11-14-Angler-EK-malware-payload.dll
File size:  185.5 KB ( 189952 bytes )
MD5 hash:  7c7794f85938710aac5b4db8b7be83c6
Detection ratio:  10 / 54
First submission:  2014-11-15 22:05:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/83e468665a2e0d5b6f2e2282429dac1ff4f497918ba56adfeb662d201bc9024a/analysis/

 

DROPPED MALWARE:

File name:  C:\Users\User-1\AppData\Roaming\Azwaf\wune.exe
File size:  252.6 KB ( 258642 bytes )
MD5 hash:  95b1307ef1074a9d0d24d3832776c96e
Detection ratio:  16 / 55
First submission:  2014-11-15 22:05:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b432b2e150c97af9d9cb90cbf658629813bc0182c507c88b144f1524b38f7ace/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script from the compromised website:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.