2014-04-28 - ANGLER EK FROM 85.10.220.153 (FUMINEXYVEQCCS.COM and SKWOSH.EU)

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-28-Angler-EK-all-pcaps.zip
• ZIP file of the malware:  2014-04-28-Angler-EK-malware.zip

NOTES:

• After finding a redirect to Angler EK on scumware.org, I investigated further, using different VMs to get the associated Flash, Silverlight, and Java exploits.
• This is very much like the Angler EK traffic I found a few days ago on 2014-04-22.
• I've also done Angler EK writeups on 2014-02-26, 2014-02-27, and 2014-03-23.
• The malware is not just an XOR-ed payload with an ASCII string of 8 characters--other bytes are modified with Angler EK traffic, as noted here.
• I grabbed the malware payload from an infected host's AppData\Local\Temp directory.

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS

• 193.225.32.11 - www.ektf.hu - Provides malicious javascript
• 213.192.241.64 - ortoexport.es - Redirect
• 85.10.220.153 - xenexo9fj6.fuminexyveqccs.com, k615o5ij7f.skwosh.eu, and 1ldaph7slm.fuminexyveqccs.com - Angler EK

 

ANGLER EK USING A FLASH EXPLOIT:

• 03:02:32 UTC - 192.168.204.229:50547 - 193.225.32.11:80 - www.ektf.hu - GET /~forgos/hivatkoz/mediaismeret/common.js
• 03:04:14 UTC - 192.168.204.229:50549 - 213.192.241.64:80 - ortoexport.es - GET /esd.php?id=6075481
• 03:04:16 UTC - 192.168.204.229:50552 - 85.10.220.153:80 - xenexo9fj6.fuminexyveqccs.com - GET /1og4ea1qd9
• 03:04:16 UTC - 192.168.204.229:50552 - 85.10.220.153:80 - xenexo9fj6.fuminexyveqccs.com - GET /Yatj1vASpyx68zn1BEIiAfHh4_o6EL5IUyGL-7TcdDandTs6
• 03:04:19 UTC - 192.168.204.229:50552 - 85.10.220.153:80 - xenexo9fj6.fuminexyveqccs.com - GET /aCnWQJCNmIexkEGzbjnrtWXVYbLgBrgGyQKNivxWweabosCr

Snort events from Security Onion:

• 2014-04-28 03:04:16 UTC - 85.10.220.153:80 - 192.168.204.229:50552 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-04-28 03:04:16 UTC - 85.10.220.153:80 - 192.168.204.229:50552 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
• 2014-04-28 03:04:16 UTC - 192.168.204.229:50552 - 85.10.220.153:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-04-28 03:04:19 UTC - 85.10.220.153:80 - 192.168.204.229:50552 - ET CURRENT_EVENTS Angler EK encrypted binary (4)

 

ANGLER EK USING A JAVA EXPLOIT:

• 03:34:17 UTC - 192.168.204.211:49277 - 193.225.32.11:80 - www.ektf.hu - GET /~forgos/hivatkoz/mediaismeret/common.js
• 03:34:31 UTC - 192.168.204.211:49278 - 213.192.241.64:80 - ortoexport.es - GET /esd.php?id=6075481
• 03:34:32 UTC - 192.168.204.211:49280 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /38104p5h2c
• 03:34:35 UTC - 192.168.204.211:49280 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - HEAD /PVfXBbR9WReNMmbQzLqrbDvNmen2ConnpC4tVP6U4RFI4HnE
• 03:34:36 UTC - 192.168.204.211:49280 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /PVfXBbR9WReNMmbQzLqrbDvNmen2ConnpC4tVP6U4RFI4HnE
• 03:34:51 UTC - 192.168.204.211:49282 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /B1ly2ZsCJmTtbf1fvn9nq5icFcMJ_5k0Y_pM4quA-aaOABjU
• 03:34:51 UTC - 192.168.204.211:49283 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /B1ly2ZsCJmTtbf1fvn9nq5icFcMJ_5k0Y_pM4quA-aaOABjU
• 03:34:52 UTC - 192.168.204.211:49283 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /B1ly2ZsCJmTtbf1fvn9nq5icFcMJ_5k0Y_pM4quA-aaOABjU
• 03:34:52 UTC - 192.168.204.211:49283 - 85.10.220.153:80 - k615o5ij7f.skwosh.eu - GET /sKnzzzw4JVL9dI2rSK1ncned32zADb1Yb0z_iSVEXx5fOf1E

Snort events from Security Onion:

• 2014-04-28 03:34:33 UTC - 85.10.220.153:80 - 192.168.204.211:49280 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-04-28 03:34:33 UTC - 85.10.220.153:80 - 192.168.204.211:49280 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
• 2014-04-28 03:34:51 UTC - 192.168.204.211:49282 - 85.10.220.153:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-28 03:34:51 UTC - 192.168.204.211:49282 - 85.10.220.153:80 - ET CURRENT_EVENTS Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014
• 2014-04-28 03:34:52 UTC - 85.10.220.153:80 - 192.168.204.211:49282 - ET INFO suspicious - uncompressed pack200-ed JAR
• 2014-04-28 03:34:53 UTC - 85.10.220.153:80 - 192.168.204.211:49283 - ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013

 

ANGLER EK USING A SILVERLIGHT EXPLOIT:

• 05:04:53 UTC - 192.168.204.215:49170 - 193.225.32.11:80 - www.ektf.hu - GET /~forgos/hivatkoz/mediaismeret/common.js
• 05:05:07 UTC - 192.168.204.215:49173 - 213.192.241.64:80 - ortoexport.es - GET /esd.php?id=6075481
• 05:05:08 UTC - 192.168.204.215:49174 - 85.10.220.153:80 - 1ldaph7slm.fuminexyveqccs.com - GET /ndo7gwuflq
• 05:05:09 UTC - 192.168.204.215:49174 - 85.10.220.153:80 - 1ldaph7slm.fuminexyveqccs.com - HEAD /hJrX2rHUsj7jj5dflUYT16MpT9N3qFvO7F3urq73mfG50xNa
• 05:05:09 UTC - 192.168.204.215:49175 - 85.10.220.153:80 - 1ldaph7slm.fuminexyveqccs.com - GET /Tuf03FPkRFuaqPIb4NjSU7THPg2_ynKhrPyxXIMWr2GeJgdr
• 05:05:09 UTC - 192.168.204.215:49174 - 85.10.220.153:80 - 1ldaph7slm.fuminexyveqccs.com - GET /hJrX2rHUsj7jj5dflUYT16MpT9N3qFvO7F3urq73mfG50xNa
• 05:05:11 UTC - 192.168.204.215:49174 - 85.10.220.153:80 - 1ldaph7slm.fuminexyveqccs.com - GET /oelVnhpVAXKaOOv-guJsXWiEpvFz-UcZ5ffPym4zy4kpWJbD

Snort events from Security Onion:

• 2014-04-28 05:05:08 UTC - 85.10.220.153:80 - 192.168.204.215:49174 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-04-28 05:05:08 UTC - 85.10.220.153:80 - 192.168.204.215:49174 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
• 2014-04-28 05:05:12 UTC - 85.10.220.153:80 - 192.168.204.215:49174 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-28-Angler-EK-silverlight-exploit.xap
File size:  51.9 KB ( 53132 bytes )
MD5 hash:  c1e4e012316e52508bb03eab7f8ee581
Detection ratio:  0 / 49
First submission:  2014-04-28 05:37:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1a238d452f3a5dbe6a6fa98f0e84146755a0ac7133e4315ee895b2797b68170d/analysis/

 

JAVA EXPLOIT (same as seen on 2014-04-22)

File name:  2014-04-28-Angler-EK-java-exploit.jar
File size:  26.2 KB ( 26840 bytes )
MD5 hash:  3de78737b728811af38ea780de5f5ed7
Detection ratio:  15 / 51
First submission:  2014-04-21 21:58:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d7521565cdfe6aec509d09ffd691216b65d99c1688a9ec55cb620db5ddfbae95/analysis/

 

FLASH EXPLOIT

File name:  2014-04-28-Angler-EK-flash-exploit.swf
File size:  72.8 KB ( 74579 bytes )
MD5 hash:  237a3fc1b59b79514c475adeca943556
Detection ratio:  0 / 51
First submission:  2014-04-28 04:22:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e07dc85732b5ef81d7640ad4b36bcb64344e3fa30719620afedd70cace9b5823/analysis/

FLASH EXPLOIT UNCOMPRESSED

File name:  2014-04-28-Angler-EK-flash-exploit-uncompressed.swf
File size:  96.1 KB ( 98449 bytes )
MD5 hash:  ef398b172e1598c71121ebc65d77cf46
Detection ratio:  0 / 50
First submission:  2014-04-28 06:05:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2ed559d33578421e1d86e828d224e617ca3772c9c5b81e08db992ecabd852003/analysis

 

MALWARE PAYLOAD

File name:  2014-04-28-Angler-EK-malware-payload.dll
File size:  476.0 KB ( 487424 bytes )
MD5 hash:  013df9039ca8026e43c817c5cc182246
Detection ratio:  10 / 51
First submission:  2014-04-28 05:36:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/056355fc687789a621e54c75262213753ed1c4c192e4bf313bd5c797df3670ba/analysis/

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-28-Angler-EK-all-pcaps.zip
• ZIP file of the malware:  2014-04-28-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.