2014-05-01 - ANGLER EK FROM 184.82.69.94 - 51M9O.LICITAJYJANYSWED.INFO

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-05-01-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-05-01-Angler-EK-malware.zip

PREVIOUS ANGLER EK:

• 2014-02-26 - Angler EK from 23.239.12.68 - northerningredients.com
• 2014-02-27 - Angler EK from 31.222.178.84 - phisoomythyxiboow.ru:8080
• 2014-03-23 - Angler EK from 78.63.247.153 - e1xguj.makeuhndall.info
• 2014-04-22 - Angler EK from 69.39.239.233 - p1315noprat-wezenlijk.tri-citydrywall.com
• 2014-04-22 - Angler EK from 23.110.194.99 - lampadaryoptimistiselta.particlehero.com
• 2014-04-28 - Angler EK from 85.10.220.153 - xenexo9fj6.fuminexyveqccs.com
• 2014-04-28 - Angler EK from 85.10.220.153 - k615o5ij7f.skwosh.eu
• 2014-04-29 - Angler EK from 66.96.246.151 - ugwpc.bimowamokykpps.net
• 2014-05-01 - Angler EK from 184.82.69.94 - 51m9o.licitajyjanyswed.info

NOTE: Nothing new here that we haven't seen before.  Just keeping track...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 184.82.69.94 - 51m9o.licitajyjanyswed.info - Angler EK

INFECTION CHAIN OF EVENTS (SILVERLIGHT AND FLASH EXPLOITS)

• 05:11:37 UTC - 51m9o.licitajyjanyswed.info - GET /cthhquqwpj
• 05:11:38 UTC - 51m9o.licitajyjanyswed.info - GET /Lqg20IjWzP2Enl7FJ8wuoQFRVG15hzZeqYY7K92j4f27LWmWsnGFAwaGXz8sCMLa2bQ78-wykL8=  [Flash exploit]
• 05:11:38 UTC - 51m9o.licitajyjanyswed.info - GET /AukxodW7jAMQRC1hoTNtpsRMu8UgnHXz1rSjRGhK0O3PwrlbS_oU-ij-anWobP3GBDxb0lY6SJQ=  [Silverlight exploit]
• 05:11:41 UTC - 51m9o.licitajyjanyswed.info - GET /JuJFE3MY7FrDsOoDzDXQXQFZZwkypij_MtnXYQhTOF64BLxyM6NN1mvl82JII6HIA5fjacs3Oj4=  [malware payload]

INFECTION CHAIN OF EVENTS (JAVA EXPLOIT)

• 05:23:11 UTC - 51m9o.licitajyjanyswed.info - GET /kedce7b0jl HTTP/1.1
• 05:23:14 UTC - 51m9o.licitajyjanyswed.info - HEAD /ieeHfqBIIalCugQb4AIOYv1qBcwPZusNtNomKjt0C4De7zAtZOfeio4qyv6BqTjNNVyB5YySO3w=
• 05:23:14 UTC - 51m9o.licitajyjanyswed.info - GET /ieeHfqBIIalCugQb4AIOYv1qBcwPZusNtNomKjt0C4De7zAtZOfeio4qyv6BqTjNNVyB5YySO3w=
• 05:23:30 UTC - 51m9o.licitajyjanyswed.info - GET /uOqil8gul9ciSgti0jLsChR7dDRRw_LBMDKOddac9277Bqjpfvzc77dTjW3k2eexe9uQ9RqfVls=
• 05:23:30 UTC - 51m9o.licitajyjanyswed.info - GET /uOqil8gul9ciSgti0jLsChR7dDRRw_LBMDKOddac9277Bqjpfvzc77dTjW3k2eexe9uQ9RqfVls= [Java exploit]
• 05:23:30 UTC - 51m9o.licitajyjanyswed.info - GET /vDMsODbV7aBqrhDchAYoKlEXnClPQIcgew8R-_RuXS6Zux-RqWDGVo29iKS2IDARPTqG1Da8YLI=  [malware payload]

 

PRELIMINARY MALWARE ANALYSIS

• 2014-05-01-Angler-EK-flash-exploit.swf - 39.5 KB ( 40424 bytes ) - MD5: 23c62fff2b9f8499cc560e0a83269394 - Virus Total link
• 2014-05-01-Angler-EK-silverlight-exploit.xap - 51.4 KB ( 52653 bytes ) - MD5: cd51e7a9a0487561605e3efec3436f52 - Virus Total link
• 2014-05-01-Angler-EK-java-exploit.jar - 26.2 KB ( 26840 bytes ) - MD5: 3de78737b728811af38ea780de5f5ed7 - Virus Total link
• 2014-05-01-Angler-EK-malware-payload.dll - 72.5 KB ( 74240 bytes ) - MD5: 2387377699cd0bbe891a1377e4302a28 - Virus Total link - Malwr link

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-01 05:11:37 UTC - 184.82.69.94:80 - 192.168.204.227:49480 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-05-01 05:11:37 UTC - 184.82.69.94:80 - 192.168.204.227:49480 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1
• 2014-05-01 05:11:37 UTC - 192.168.204.227:49480 - 184.82.69.94:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-01 05:11:41 UTC - 184.82.69.94:80 - 192.168.204.227:49481 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

• 2014-05-01 05:23:12 UTC - 184.82.69.94:80 - 192.168.204.194:49297 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1
• 2014-05-01 05:23:12 UTC - 184.82.69.94:80 - 192.168.204.194:49297 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
• 2014-05-01 05:23:30 UTC - 192.168.204.194:49299 - 184.82.69.94:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-05-01 05:23:30 UTC - 192.168.204.194:49300 - 184.82.69.94:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-05-01 05:23:30 UTC - 184.82.69.94:80 - 192.168.204.194:49300 - ET INFO suspicious - uncompressed pack200-ed JAR
• 2014-05-01 05:23:31 UTC - 184.82.69.94:80 - 192.168.204.194:49299 - ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013

 

OTHER NOTES

The Silverlight exploit used in Angler EK is updated frequently--the modified date for this one is less than 48 hours ago.

 

The Java exploit used by Angler EK was last updated in February 2014--over 2 months ago.

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-05-01-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-05-01-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.