2015-12-29 - ANGLER EK FROM 185.86.77.52 SENDS BEDEP

ASSOCIATED FILES:

 

NOTES:


Shown above:  Injected script in page from the compromised website.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 


Shown above:  Today's pcap filtered in Wireshark.

 

COMRPOMISED WEBSITE:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

MALWARE

ANGLER EK FLASH EXPLOIT:

File name:  2015-12-29-Angler-EK-flash-exploit.swf
File size:  144.4 KB (147,899 bytes)
MD5 hash:  80d2ac3a04575ae1a82efa696b8cf63c
SHA1 hash:  e53e9b0569a191dc44acf62589ffaf032d61e718
SHA256 hash:  d098b9d43822fb91e3637245c601deb5048e272f4b1cfba64e4e232cbe46204c
Detection ratio:  2 / 55
First submission:  2015-12-29 18:09:00 UTC
VirusTotal link:  https://www.virustotal.com/fr/file/d098b9d43822fb91e3637245c601deb5048e272f4b1cfba64e4e232cbe46204c/analysis/

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

File name:  C:\Users\[username]\AppData\Local\Temp\Low\{7D555416-3C46-47C6-B36F-EED7F0E3A14E}\mpr10.dll
File size:  158.5 KB (162,304 bytes)
MD5 hash:  26dfaca0c70c6eee983b56aaed834181
SHA1 hash:  2d04bf688b74507732822184c80cd4133e5fb753
SHA256 hash:  443cfadafc5708e1a5554a29074911c31c814c4b2723275cb043834f8ceb4506
Detection ratio:  1 / 53
First submission:  2015-12-29 18:08:12 UTC
VirusTotal link:  https://www.virustotal.com/fr/file/443cfadafc5708e1a5554a29074911c31c814c4b2723275cb043834f8ceb4506/analysis/
File name:  C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\umpo.dll
File size:  384.0 KB (393,216 bytes)
MD5 hash:  1edd87181f176f0566f5007360d07623
SHA1 hash:  5e8454ae24804bcceb80667ac6b76c7e826e67ca
SHA256 hash:  04b76e4f909a96de2a64266f18996422c24294d8767156067d62a991cc965ff5
Detection ratio:  4 / 55
First submission:  2015-12-29 18:08:35 UTC
VirusTotal link:  https://www.virustotal.com/fr/file/04b76e4f909a96de2a64266f18996422c24294d8767156067d62a991cc965ff5/analysis/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.