2016-02-10 - EITEST ANGLER EK FROM 89.45.67.75

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

DATE/TIME OF THE INFECTION:  2016-02-10 15:56 UTC

 

DATE/TIME OF MALWR.COM ANALYSIS:  2016-02-10 16:26 UTC

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2016-02-10-EITest-Angler-EK-flash-exploit.swf
File size:  63.7 KB (65,191 bytes)
MD5 hash:  5ec65f2f6ee971c458315d13d3729835
SHA1 hash:  fd641af682c4d991a1bfaee6d0051e881be609aa
SHA256 hash:  44f57274fe2c7d3dd2359549766f375da0d22a569b6e73421499063bddc1762f
Detection ratio:  1 / 54
First submission:  2016-02-10 16:27:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/44f57274fe2c7d3dd2359549766f375da0d22a569b6e73421499063bddc1762f/analysis/

 

MALWARE PAYLOAD:

File name:  2016-02-10-EITest-Angler-EK-malware-payload.exe
File size:  308.0 KB (315,392 bytes)
MD5 hash:  fd36d1e2be1f0079c7cb66288778ffa9
SHA1 hash:  292606f34e9a86fe44527bfcaa91c14a88676cba
SHA256 hash:  3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82
Detection ratio:  4 / 53
First submission:  2016-02-10 16:17:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82/analysis/
Malwr link:  https://malwr.com/analysis/YTBkNGZjYjU2MTc0NDcyOTljZGNhNWY4MDhkYjcyMmM/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82?environmentId=4

 

IMAGES


Shown above:  Injected script in page from the compromised website.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 


Shown above:  Pcap from malwr.com of traffic caused by the malware payload.

 


Shown above:  Alert triggered by the post-infection traffic from Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.