2014-05-28 - ANGLER EK AND ANOTHER CRYPTOWALL SAMPLE

ASSOCIATED FILES:

• ZIP of the PCAPs:  2014-05-28-Angler-EK-pcaps.zip
• ZIP of the malware:  2014-05-28-Angler-EK-malware.zip

NOTES:

• The malware payload was a Trojan downloader, but didn't work in my VM.  Fortunately, it did in the Malwr.com sandbox analysis.
• There are two additional pieces of malware (3.exe and 6.exe) from the sandbox analysis.  The file named "3.exe" is CrytoWall.
• I infected a VM with the CryptoWall malware and saw the same post-infection traffic from my 2014-05-25 blog entry on Angler EK.
• Also saw the same hashdate function used for a .eu redirect with a window.cback from my 2014-05-25 blog entry on Angler EK.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 46.28.105.30 - www.obchodveskrini.cz - Compromised website
• 108.162.198.14 - 448a2efd.eu - Redirect
• 94.23.170.178 - edinburghissapangermanic.azpoolservicemesa.com - Angler EK in first example
• 94.23.68.141 - epbh-recoiloperated.azpoolservicegilbert.org - Angler EK in other two examples
• various IP addresses - various domains - sandbox traffic (see below)

ANGLER EK USES SILVERLIGHT EXPLOIT:

• 05:00:38 - www.obchodveskrini.cz - GET /
• 05:00:40 - 448a2efd.eu - GET /script.html?0.2649787266567968


• 05:00:41 - edinburghissapangermanic.azpoolservicemesa.com - GET /m33iozsdah.php
• 05:00:43 - edinburghissapangermanic.azpoolservicemesa.com - GET /qvCMoPoW5qbkPdmjT67g2xBC9OQAwuT21plVbJIQl8nh2RRS3vwSqjU_n8sO3X9cyel-FA==
• 05:00:52 - edinburghissapangermanic.azpoolservicemesa.com - GET /lux053z_VvNY3D_FYq0flHbS0oIp7oBAZG8Otv5VuG5BB3I6LIMqRPHUnAbXfV-uIzdLUw==

ANGLER EK USES FLASH EXPLOIT (NO INFECTION):

• 05:13:20 - www.obchodveskrini.cz - GET /
• 05:13:24 - 448a2efd.eu - GET /script.html?0.6947443515522153


• 05:13:24 - epbh-recoiloperated.azpoolservicegilbert.org - GET /92fp76gwdf.php
• 05:13:26 - epbh-recoiloperated.azpoolservicegilbert.org - GET /ZgCWxLu0NRxZvVIj_EaQFspTpP1BqZIGKNFDnyjRnNfGk2mKONwN5lq_bhZtziT2T5yfLw==

ANGLER EK USES JAVA EXPLOIT:

• 05:20:06 - www.obchodveskrini.cz - GET /
• 05:20:12 - 448a2efd.eu - GET /script.html?0.9579412424463776


• 05:20:14 - epbh-recoiloperated.azpoolservicegilbert.org - GET /yobggx2kph.php
• 05:20:30 - epbh-recoiloperated.azpoolservicegilbert.org - GET /SxHE1ot0VqnMztVDo21ULT57w9ZIuH14Pxd7qMfq78LBXl8z5h4ElA1EqGMIuRHf3z5Qbg==
• 05:20:30 - epbh-recoiloperated.azpoolservicegilbert.org - GET /SxHE1ot0VqnMztVDo21ULT57w9ZIuH14Pxd7qMfq78LBXl8z5h4ElA1EqGMIuRHf3z5Qbg==
• 05:20:31 - epbh-recoiloperated.azpoolservicegilbert.org - GET /SxHE1ot0VqnMztVDo21ULT57w9ZIuH14Pxd7qMfq78LBXl8z5h4ElA1EqGMIuRHf3z5Qbg==
• 05:20:33 - epbh-recoiloperated.azpoolservicegilbert.org - GET /pHCjj4ahrROl8McxjlQZGLNF7qh22qhnhbppYlJZjpse9YrGg6F1-bfb8vPShtVWAQ1s3g==

TRAFFIC FROM MALWR.COM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

• 05:41:54 - 192.168.56.101:1041 - 141.101.117.197:80 - niceshinesirius.pw - POST /lkgj/gmp.php   [repeats several times]
• 05:41:54 - 192.168.56.101:1043 - 108.162.196.71:80 - fe4a6513.pw - GET /store/3.exe
• 05:41:57 - 192.168.56.101:1048 - 108.162.196.71:80 - fe4a6513.pw - GET /store/6.exe
• 05:41:59 - 192.168.56.101:1053 - 108.162.196.71:80 - fe4a6513.pw - GET /store/2.exe   [repeats several times]
• 05:42:11 - 192.168.56.101:1065 - 141.255.167.3:80 - nofbiatdominicana.com - POST /f8hmqr0t7iqn
• 05:42:14 - 192.168.56.101:1071 - 141.255.167.3:80 - nofbiatdominicana.com - POST /7q1lqfgqdj273mj

CRYPTOWALL TRAFFIC AFTER RUNNING FILE "3.EXE" FROM THE SANDBOX ANALYSIS ON A VM:

• 06:52:13 - 192.168.204.235:49159 - 141.255.167.3 - nofbiatdominicana.com - POST /w72sh29mlo
• 06:52:35 - 192.168.204.235:49161 - 141.255.167.3 - nofbiatdominicana.com - POST /9x358cr5kv2l8g2
• 06:52:42 - 192.168.204.235:49162 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:52:45 - 192.168.204.235:49165 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:52:45 - 192.168.204.235:49164 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:52:45 - 192.168.204.235:49166 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:52:45 - 192.168.204.235:49168 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:52:45 - 192.168.204.235:49167 - 95.215.45.172:443 - kpai7ycr7jxqkilp.torexplorer.com - HTTPS traffic
• 06:53:02 - 192.168.204.235:49169 - 141.255.167.3 - nofbiatdominicana.com - POST /3ubc5pzotxyp0ui

 

PRELIMINARY MALWARE ANALYSIS

• 2014-05-28-Angler-EK-silverlight-exploit.xap - 51.6 KB ( 52802 bytes ) - MD5: a34102b795fbba5527bb17d9c2d427ff - Virus Total link
• 2014-05-28-Angler-EK-flash-exploit.swf - 73.3 KB ( 75045 bytes ) - MD5: 8081397c30b53119716c374dd58fc653 - Virus Total link
• 2014-05-28-Angler-EK-flash-exploit-uncompressed.swf - 94.8 KB ( 97075 bytes ) - MD5: 2543855d992b2f9a576f974c2630d851 - Virus Total link
• 2014-05-28-Angler-EK-java-exploit.jar - 26.2 KB ( 26840 bytes ) - MD5: 3de78737b728811af38ea780de5f5ed7 - Virus Total link
• 2014-05-28-Angler-EK-malware-payload.exe - 188.0 KB ( 192512 bytes ) - MD5: 7ac8f1c630b5cbfce8916d4c80e2f140 - Virus Total link / Malwr link
• 3.exe - 311.5 KB ( 318976 bytes ) - MD5: e36bbd682b5dd435baec8ec268c9c825 - Virus Total link - NOTE: This is CryptoWall
• 6.exe - 205.5 KB ( 210432 bytes ) - MD5: a709e37a5ebb3ee99c539cbb1c6a8848 - Virus Total link

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-28 05:00:43 UTC - 192.168.204.221:49267 - 94.23.170.178:80 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request - May 2014 (sid:2018497)
• 2014-05-28 05:00:52 UTC - 94.23.170.178:80 - 192.168.204.221:49267 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 (sid:2017984)
• 2014-05-28 05:13:26 UTC - 192.168.204.222:49182 - 94.23.68.141:80 - ET POLICY Outdated Windows Flash Version IE (sid:2014726)
• 2014-05-28 05:13:26 UTC - 192.168.204.222:49182 - 94.23.68.141:80 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request - May 2014 (sid:2018497)
• 2014-05-28 05:20:30 UTC - 192.168.204.224:49211 - 94.23.68.141:80 - ET POLICY Vulnerable Java Version 1.7.x Detected (sid:2014297)
• 2014-05-28 05:20:30 UTC - 192.168.204.224:49211 - 94.23.68.141:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-05-28 05:20:30 UTC - 192.168.204.224:49211 - 94.23.68.141:80 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request - May 2014
• 2014-05-28 05:20:31 UTC - 94.23.68.141:80 - 192.168.204.224:49211 - ET INFO suspicious - uncompressed pack200-ed JAR (sid:2017909)
• 2014-05-28 05:20:35 UTC - 94.23.68.141:80 - 192.168.204.224:49215 - ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013 (sid:2017986)
• 2014-05-28 05:20:35 UTC - 94.23.68.141:80 - 192.168.204.224:49215 - EXPLOIT-KIT Angler exploit kit encrypted binary download (sid:29414)

 

SNORT EVENTS FOR THE SANDBOX TRAFFIC (using tcpreplay on Security Onion)

• 192.168.56.101:1041 - 141.101.117.197:80 - ET TROJAN Andromeda Checkin (sid:2016223)
• 192.168.56.101:1065 - 141.255.167.3:80 - ET TROJAN CryptoWall Check-in (sid:2018452)
• 192.168.56.101:1073 - 108.162.195.43:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)
• 192.168.56.101:1073 - 108.162.195.43:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)

 

HIGHLIGHTS FROM THE TRAFFIC

Example of malicious script in page from compromised website:

 

Example of redirect pointing to Angler EK:

 

CryptoWall in action on the infected VM:

1AkJptnuoiQAD3GmHMFHBSMxZ9H2GKJTkB is the same bitcoin address from another CryptoWall infection in my 2014-05-25 blog entry.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAPs:  2014-05-28-Angler-EK-pcaps.zip
• ZIP of the malware:  2014-05-28-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.