2015-10-12 - ANGLER EK SENDS FROM 217.172.170.4 SENDS BEDEP

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

ANGLER EK:

 

SOME OF THE POST-INFECTION TRAFFIC:

 

SNORT-BASED EVENTS

I used tcpreplay on the pcap in Security Onion using Suricata with the Emerging Threats open and ETpro rulesets.  Below shows a screenshot with some of the signature hits:

 

PRELIMINARY MALWARE ANALYSIS

ANGLER EK FLASH EXPLOIT:

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

NOTE:  api-ms-win-system-hal-l1-1-0.dll was deleted shortly after the file appeared on the infected host.

 

REGISTRY KEYS ASSOCIATED WITH THIS INFECTION:

 

VALUES FOR ALL THE ABOVE REGISTRY KEYS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.