2015-03-25 - ANGLER EK PUSHES RANSOMWARE

ASSOCIATED FILES:

 

NOTES:



Shown above: partial screenshot from the first malware sample on 2015-03-23.

 



Shown above: full screenshot from the second malware sample on 2015-03-25.

 

CHAIN OF EVENTS

2015-03-23 ANGLER EK:

2015-03-23 POST-INFECTION TRAFFIC:

 

2015-03-25 ANGLER EK:

2015-03-25 POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Suricata on Security Onion (without ET POLICY or ET INFO events):

Signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.2 on Debian 7:

 

MALWARE FROM THE INFECTED HOST

2015-03-23:

File name:  C:\ProgramData\ADC290768.cpp   (decrypted Angler EK malware payload, a DLL file)
File size:  232.0 KB ( 237568 bytes )
MD5 hash:  95a0cafb24e9edcbdb52e685f7b5a5b3
Detection ratio:  22 / 57
First submission:  2015-03-23 18:56:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d46699b085adb4e235c80c5359cff975c5b5e3f9e136400d89ad29af8fad4c72/analysis/

 

File name:  C:\ProgramData\C328CD902.zot   (another DLL)
File size:  350.5 KB ( 358912 bytes )
MD5 hash:  2479dd9b68bd7c137edae000c728f86d
Detection ratio:  9 / 57
First submission:  2015-03-23 18:59:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fe3598d7ce646329c95d17f8a6706a4a8f758e780f426b4ec527ff33c4df3b55/analysis/

 

2015-03-25:

File name:  C:\ProgramData\209DC823C.cpp   (decrypted Angler EK malware payload a DLL file)
File size:  176.0 KB ( 180224 bytes )
MD5 hash:  69c381c069c53c385b5d4269e9d922cb
Detection ratio:  3 / 57
First submission:  2015-03-25 17:08:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4644de6f506cae0ea42adfea787ba5f94772b17d91be8763aa24354e38c7930e/analysis/

 

File name:  C:\ProgramData\209DC823C.cpp   (another DLL)
File size:  351.0 KB ( 359424 bytes )
MD5 hash:  c894c6ef9041e1bfee0806619a1779ec
Detection ratio:  4 / 57
First submission:  2015-03-25 17:09:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e685e75497f52d934edc0dca289cc6931c93cdef02bd180200952606875ddbaa/analysis/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.