2014-11-22 - ANGLER EK FROM 94.23.35.86 - WOJCIKTYPEINFOPTRSET.LOHRAKUPUNKTUR.DE

ASSOCIATED FILES:

 

NOTES:

 

 

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

INFECTION CHAIN FROM START TO ANGLER EK:

 

EACH OF THE 3 MALWARE PAYLOADS CHECK FOR CONNECTIVITY:

 

SOME OF THE POST-INFECTION HTTP TRAFFIC:

 

POST-INFECTION NON-HTTP TRAFFIC:

 

CLICK-FRAUD TRAFFI BEGINS:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including any preprocessor events):

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-11-22-Angler-EK-flash-exploit.swf
File size:  43.3 KB ( 44387 bytes )
MD5 hash:  90c525f4616f4defaea9f94c3a5c948b
Detection ratio:  1 / 55
First submission:  2014-11-21 10:32:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dee29216412731e1d36b1eaf7c1dcd4a45263bfeab853288a034f48b2cdc3dae/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-11-22-Angler-EK-silverlight-exploit.xap
File size:  46.2 KB ( 47267 bytes )
MD5 hash:  f3ea2ed969a80be7e70bad4fc11176cc
Detection ratio:  0 / 55
First submission:  2014-11-22 22:22:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f01320652ac526c0b869dbcedde6cd13b59f084a6775ee44481f3edd66a10b32/analysis/

 

MALWARE PAYLOAD:

File name:  2014-11-22-Angler-EK-malware-payload.dll
File size:  185.5 KB ( 189952 bytes )
MD5 hash:  49e83f884bb08d63b7a4de626d3fd561
Detection ratio:  14 / 31
First submission:  2014-11-18 21:52:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b80d725521cc7a94c3c0efd2b685c5d6c96cad0dac082309849420254982c6c3/analysis/

 

SOME DROPPED MALWARE FROM THE INFECTED VM:

 

 

 

DEOBFUSCATING THE MALWARE PAYLOAD

You can extract the payload from the pcap using Wireshark:

 

Looking at the extracted payload, you'll find it's obfuscated with wT6QtySY as the XOR string:

 

XOR the entire payload with wT6QtySY and you'll see the malware payload after the shellcode.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.