2015-06-08 - ANGLER EK - MORE CHANGES IN TRAFFIC PATTERNS

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

FLASH AD REDIRECT:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-06-08-Angler-EK-flash-exploit.swf
File size:  54.1 KB ( 55364 bytes )
MD5 hash:  e1ee52baee1ac7fe876cf6581e669b6c
Detection ratio:  1 / 57
First submission:  2015-06-08 07:42:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/822f6cefa9540916ec99027a2fefa4b358c8b504149fa7b5a760fe5d8e146d4f/analysis/

 

MALWARE PAYLOAD:

File name:  2015-06-08-Angler-EK-malware-payload.exe
File size:  362.4 KB ( 371060 bytes )
MD5 hash:  d5cd69ad84cc4381275d93c400702f2f
Detection ratio:  1 / 57
First submission:  2015-06-08 14:03:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70519e4834f3a2b3a7128bbe8d2afd01f9839210c8cf78ab726f5a78fbeee4a7/analysis/
Malwr link:  https://malwr.com/analysis/N2M1M2ZmNDRhNGVkNDhiMDhlNTg2ZmE2NjQwZWFmM2U/

 

VAWTRAK FOUND ON INFECTED HOST:

File name:  C:\ProgramData\DajaXunuq\PupqUhgo.pmh
File size:  277.9 KB ( 284582 bytes )
MD5 hash:  a0141ac093a4f2bb64e8da3829d4b8a8
Detection ratio:  3 / 57
First submission:  2015-06-08 14:03:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/01a7eddf67453285289a3916cadea7dc3fc60028662feae12d32c693a7f1236c/analysis/
Malwr link:  https://malwr.com/analysis/OWY1YjY4NjMzNGY3NDlhY2JmODUyZDNkMjViMDI2ZWM/
HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Run
Value name: DajaXunuq
Type: REG_SZ
Data: regsvr32.exe "C:\ProgramData\DajaXunuq\PupqUhgo.pmh"

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.