2015-01-22 - ANGLER EK FROM 64.251.14.164 AND 207.182.149.13

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

ANGLER EK:

 

POST-INFECTION CONNECTIVITY CHECK BY THE MALWARE:

 

OTHER POST-INFECTION TRAFFIC:

 

ADDITIONAL ATTEMPTS TO INFECT A VM ON 2015-01-22 (NONE WERE SUCCESSFUL):

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-21-Angler-EK-flash-exploit.swf
File size:  43.3 KB ( 44376 bytes )
MD5 hash:  5bb88d63a37f296d6e42245421537fe6
Detection ratio:  2 / 57
First submission:  2015-01-21 10:08:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/04596a3ef7239ee9f1054a578504de80f922d65c3c86df3396f22401266d79e8/analysis/

 

DROPPED MALWARE FROM THE USER'S APPDATA\LOCAL\TEMP FOLDER:

File name:  dfscpnet.dll
File size:  144.4 KB ( 147828 bytes )
MD5 hash:  cd509fc9a2a8ae8a07ab2086ec6ad93a
Detection ratio:  28 / 57
First submission:  2015-01-14 23:37:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5f6e3461702e0eeaabb03bc7e6ee3c99f597102ada48321262f6b44b6ed63749/analysis/

File name:  dfscpnet64.dll
File size:  156.0 KB ( 159744 bytes )
MD5 hash:  8aca5883cd15813ac2f05d5ae7db9924
Detection ratio:  9 / 57
First submission:  2015-01-14 23:37:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/26a50199b04361cce4857a253ce4debb5c992fc120f927c2522a35127b9ea4f4/analysis/

 

SCREENSHOTS

You can easily find the malware payload in Wireshark by exporting HTTP objects and looking through the list.

 

Unfortunately, the encryption or obfuscation has changed.  It doesn't appear to be a strict XOR as we've seen before with Angler EK.  I wasn't able to de-obfuscate the payload.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.