2014-06-03 - ANGLER EK FROM 85.25.43.60 PORT 2980 - JUGOSLAAVIENFISUN.DVDANDGIFTS.CO.ZA

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-06-03-Angler-EK-pcaps.zip
• ZIP of the malware:  2014-06-03-Angler-EK-malware.zip

NOTES:

• This is the first time I've seen Angler EK use a non-standard port for HTTP

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 77.93.218.17 - www.racionalcz.cz - Comrpomised website
• 141.101.117.21 - 8bfd2cd9.eu - Redirect
• 85.25.43.60 - jugoslaavienfisun.dvdandgifts.co.za:2980 - Angler EK on TCP port 2980
• 108.162.196.238 - afpstatstrack.pw - Post-infection callback from sandbox analysis

COMPROMISED WEBSITE AND REDIRECT:

• 06:27:49 - www.racionalcz.cz - GET /
• 06:27:55 - 8bfd2cd9.eu - GET /script.html?0.9801302868625199

ANGLER EK:

• 06:27:58 - jugoslaavienfisun.dvdandgifts.co.za:2980 - GET /6ixxz709c7.php
• 06:28:18 - jugoslaavienfisun.dvdandgifts.co.za:2980 - GET /preYUIdZbBMpGFTaCjpz6xbqWEZNEgRFAjTue09AwvP4YWrYyx1tPWVG6rVtWjH8
• 06:28:21 - jugoslaavienfisun.dvdandgifts.co.za:2980 - GET /RBh8sPEUVNf0K_DYznq1da9I1lZnuVuhfzi8Ntnwbnt7UTYEzKiQP-GtxkOVsgLa
• 06:28:26 - jugoslaavienfisun.dvdandgifts.co.za:2980 - GET /pRPQTx387JTKdo5oOGEn3sX1vq6anRKyezt3t2Q4g0EJoguk6hCgIgmlZzNPb9k4

 

TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

• 108.162.196.238 port 80 - afpstatstrack.pw - POST /lkgj/gmp.php

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-06-03-Angler-EK-silverlight-exploit.xap
File size:  52.6 KB ( 53913 bytes )
MD5 hash:  5613d0312a0acf3a86f4d427b645dc5e
Detection ratio:  1 / 52
First submission:  2014-06-04 04:16:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/92d5995e66e913e97286d436a048de0459e7c21a29b93d7febd1ead880a43963/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-03-Angler-EK-malware-payload.exe
File size:  157.5 KB ( 161280 bytes )
MD5 hash:  942f89a745e22b6d6156b77717eaa14c
Detection ratio:  3 / 51
First submission:  2014-06-03 09:29:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/65c3ec6d48f5b3d9e77b48793461fe689d6110e3dade714a0251c02ae8db35ad/analysis/
Malwr link:  https://malwr.com/analysis/MTU0MDM3ODg4OTc3NGNkYjkxZTU1MTdiYmU5NDkxOTQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

NOTE:  I used tcprewrite to change the port on 85.23.43.60 from 2980 to 80, and I used tcpreplay to generate the Angler EK events.  On a default Security Onion install, you would only see the first event.

• 77.93.218.17:80 - 192.168.204.226:49171 - ET CURRENT_EVENTS Possible Malicious Injected Redirect June 02 2014 (sid:2018514)
• 85.25.43.60:2980 - 192.168.204.226:49178 - ETPRO CURRENT_EVENTS DRIVEBY Angler EK Landing May 22 2014 (sid:2808076)
• 85.25.43.60:2980 - 192.168.204.226:49178 - ETPRO CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2807913)
• 85.25.43.60:2980 - 192.168.204.226:49187 - ET CURRENT_EVENTS Angler EK encrypted binary (6) (sid:2018510)
• 85.25.43.60:2980 - 192.168.204.226:49178 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 (sid:2017984)

 

SNORT EVENTS FOR PCAP FROM MALWR.COM ANALYSIS:

• 192.168.56.102:1040 - 108.162.196.238:80 - ET TROJAN Andromeda Checkin (sid:2016223)

 

HIGHLIGHTS FROM THE TRAFFIC

Callback traffic from sandbox analysis of the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-03-Angler-EK-pcaps.zip
• ZIP of the malware:  2014-06-03-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.