2015-03-25 - ANGLER EK PUSHES RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-03-25-Angler-EK-traffic.pcap.zip
• 2015-03-25-post-infection-traffic.pcap.zip
• 2015-03-25-Angler-EK-malware.zip

 

NOTES:

• Matthew Mesa informed me these samples are Reveton.

Shown above: View of lock screen generated by the Angler EK malware payload.

 

CHAIN OF EVENTS

ANGLER EK:

• 188.165.230[.]181 port 80 - daaks-intensiven.buthair[.]com GET /govern_wickets_insulator/1305714616
• 188.165.230[.]181 port 80 - daaks-intensiven.buthair[.]com GET /eY9EzdMyjsjFpXD9v5uIgzKQJg4OsjbkTbQ3TOKcNKZSO2ui
• 188.165.230[.]181 port 80 - daaks-intensiven.buthair[.]com GET /JQqtNNYjlHsJNYAFZDsQEJIFAF227hht8nMx0qCyo6HRXuO8

POST-INFECTION TRAFFIC:

• 107.181.174[.]5 port 443 - encrypted or obfuscated traffic
• 107.181.174[.]5 port 80 - encrypted or obfuscated traffic
• 109.200.5[.]91 port 443 - encrypted or obfuscated traffic

 

MALWARE FROM THE INFECTED HOST

File name:  C:\ProgramData\209DC823C.cpp   (decrypted Angler EK malware payload a DLL file)
File size:  180,224 bytes
MD5 hash:  69c381c069c53c385b5d4269e9d922cb
Detection ratio:  3 / 57
First submission:  2015-03-25 17:08:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4644de6f506cae0ea42adfea787ba5f94772b17d91be8763aa24354e38c7930e/analysis/

 

File name:  C:\ProgramData\209DC823C.cpp   (another DLL)
File size:  359,424 bytes
MD5 hash:  c894c6ef9041e1bfee0806619a1779ec
Detection ratio:  4 / 57
First submission:  2015-03-25 17:09:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e685e75497f52d934edc0dca289cc6931c93cdef02bd180200952606875ddbaa/analysis/

 

Click here to return to the main page.