2016-01-26 - EITEST ANGLER EK SENDS BEDEP AND TESLACRYPT

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS


Shown above:  A pcap of the traffic filtered in Wireshark showing the HTTP requests.

 


Shown above:  Injected script in a page from the compromised website.

 

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

Angler EK Flash exploit:

File name:  2016-01-26-EITest-Angler-EK-flash-exploit.swf
File size:  37.7 KB ( 38,567 bytes )
MD5 hash:  b1548dadecb146cdf2f5a82dc24cca4d
SHA1 hash:  93ffb65a933f1f5877151a6a8c04eaeead7a0a5f
SHA256 hash:  a75aa793c6a32f4edf6500878da62304c6a21a45c929405d641b383813fe7827
Detection ratio:  1 / 54
First submission:  2016-01-26 23:13:34 UTC
VirusTotal link:  click here

 

Post-infection artifact found after Bedep infection by Angler EK:

File name:  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\browser.dll
File size:  340.4 KB ( 348,528 bytes )
MD5 hash:  a2120d6ac0492e59c91624784b1ae424
SHA1 hash:  4a21c3f8e943a9366626dd99c96c24f9be162bd7
SHA256 hash:  a2fba94e18a49cc830b364a7048fd58776f5b69749775879165baa077a4d38f6
Detection ratio:  5 / 54
First submission:  2016-01-26 23:13:09 UTC
VirusTotal link:  click here

Associated Registry keys updated for persistence:

  • HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
  • HKEY_USERS\[removed]\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
  • HKEY_USERS\[removed]\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Values for the above registry keys (Name - Type - Value):

  • (Default) - REG_SZ - C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\browser.dll
  • ThreadingModel - REG_SZ - Apartment

 

TeslaCrypt sample after the infection (1 of 2):

File name:  2016-01-26-TeslaCrypt-sample-1-of-2-after-EITest-Angler-EK.exe
File size:  File size 492.0 KB ( 503,808 bytes )
MD5 hash:  993cac53e4cf21a1ba22e5e44c898a27
SHA1 hash:  bb950cf33be7faace67c3cfbf1fd075896ff37d2
SHA256 hash:  72361b163bc7ca8a0ecf48c037bd97d716e26527ab67b36f049cc9f9701fc9e5
Detection ratio:  8 / 54
First submission:  2016-01-26 23:14:00 UTC
VirusTotal link:  click here
Malwr link:  click here

 

TeslaCrypt sample after the infection (2 of 2):

File name:  2016-01-26-TeslaCrypt-sample-2-of-2-after-EITest-Angler-EK.exe
File size:  File size 389.0 KB ( 398,336 bytes )
MD5 hash:  795aa090240094ad58a6a567fb612db4
SHA1 hash:  1cd21e32fa345b83997b554b41d99e2e3054ff36
SHA256 hash:  95bf91bf7fa4d4c22a4ed2b90d9ddb5ff0e30a8088e8077021e75d754f85cb13
Detection ratio:  40 / 54
First submission:  2016-01-20 18:29:59 UTC
VirusTotal link:  click here
Malwr link:  click here

 

SCREENSHOTS


Shown above:  The Windows desktop after being infected by today's EITest actor Angler EK.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.