Malware-Traffic-Analysis.net - 2014-06-20

2014-06-20 - 32X32 GATE TO ANGLER EK ON 107.181.246.213 - L7QRZ.HONIGIWACE.INFO

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-06-20-Angler-EK-traffic.pcap.zip
ZIP of the malware: 2014-06-20-Angler-EK-malware.zip

NOTES:

Today revealed another 32-byte by 32-byte PHP EK Gate with HTTP POST leading to Angler EK
This one has a different pop-up than the previous ones noted on 2014-05-07 and 2014-05-13.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

198.57.149.88 - investorriches.com - Compromised website
88.80.190.66 - quemooono.com - 32x32 gate
107.181.246.213 - l7qrz.honigiwace.info - Angler EK
62.109.27.104 - activababy.ru - Post-infection call for more malware

COMPROMISED WEBSITE AND 32X32 GATE:

16:23:59 - 172.16.253.138:49251 - 198.57.149.88:80 - investorriches.com - GET /mentoring/
16:24:04 - 172.16.253.138:49261 - 88.80.190.66:80 - quemooono.com - POST /219aeeaac37e73188691349bae82334c.php?q=35bd0ba4240a085cef06bd956e544143

ANGLER EK:

16:24:05 - 172.16.253.138:49268 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /unc9xdig1e
16:24:09 - 172.16.253.138:49268 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /ZQjSBe3KjRk54Bm8nyKC2w_xWH9yzn5peZUe-AD5STRbcfMiuw8yNo3mdCThqyS1
16:24:19 - 172.16.253.138:49268 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /rwoZFh5SJ3iiwgb7_eow3M9N6wborqlSjNzyG2wVUElzFY1JQ7EMCK6NTgmJSPU0
16:24:34 - 172.16.253.138:49274 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /ImqmC4Yq9oC0mo0r0M8IEXh19BQbcc1m8FQ403qrZqx-ZnYKl-bcBqOX7IknbNUQ
16:24:34 - 172.16.253.138:49275 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /ImqmC4Yq9oC0mo0r0M8IEXh19BQbcc1m8FQ403qrZqx-ZnYKl-bcBqOX7IknbNUQ
16:24:37 - 172.16.253.138:49283 - 107.181.246.213:80 - l7qrz.honigiwace.info - GET /9TxUt-0mlM8oQVdbPtBtrvmRa3JIFQb7stOxeI_FOFmmeuwWNyI8JakgHZfY2CMU

POST-INFECTION TRAFFIC:

16:24:25 - 172.16.253.138:49276 - 62.109.24.233:443 - nosanoarick.ru - HTTPS traffic
16:24:25 - 172.16.253.138:49277 - 62.109.24.233:443 - nosanoarick.ru - HTTPS traffic
16:24:31 - 172.16.253.138:49278 - 93.158.134.11:80 - yandex.ru - GET /
16:24:32 - 172.16.253.138:49279 - 213.180.204.3:80 - www.yandex.ru - GET /
16:24:36 - 172.16.253.138:49282 - 62.109.27.104:80 - activababy.ru - GET /run.exe
16:24:41 - 172.16.253.138:49284 - 62.109.27.104:80 - activababy.ru - GET /install.exe [repeats with 404 Not found response]

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name: 2014-06-20-Angler-EK-java-exploit.jar
File size: 29.2 KB ( 29867 bytes )
MD5 hash: cf0f7176f40114ee288d7dd4599e926e
Detection ratio: 9 / 53
First submission: 2014-06-21 00:35:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/f4b35756b9f6ea204ca4ff9f69b0df1ec350033e79eb0d00b384443643488254/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-06-20-Angler-EK-silverlight-exploit.xap
File size: 51.5 KB ( 52690 bytes )
MD5 hash: 98119bc927fe32313a87d6b808a29539
Detection ratio: 3 / 54
First submission: 2014-06-12 12:51:55 UTC
VirusTotal link: https://www.virustotal.com/en/file/3ae82bd0a8eee6d0273d121008dc0968344fcac78bd62ea371178c1e8a1a5017/analysis/

MALWARE PAYLOAD

File name: 2014-06-20-Angler-EK-malware-payload.exe
File size: 264.0 KB ( 270336 bytes )
MD5 hash: 7cde5ff3c884e019e6d718cbc4029f14
Detection ratio: 9 / 54
First submission: 2014-06-21 00:36:28 UTC
VirusTotal link: https://www.virustotal.com/en/file/6c2ecb7bf4130a76179b249c5f227069aa3096d9bfcfd52c6f7b9c3d0bf8dd4f/analysis/
Malwr link: https://malwr.com/analysis/ZDhlMjk3M2E2YWVjNGRjNWE2ZTdjY2Y0M2E4OTQ4Yjk/

FOLLOW-UP MALWARE

File name: run.exe
File size: 577.5 KB ( 591360 bytes )
MD5 hash: 001bf7b9889d7115baf5ca0206ddfd7e
Detection ratio: 21 / 54
First submission: 2014-06-21 00:36:50 UTC
VirusTotal link: https://www.virustotal.com/en/file/529d49f591cc1558705e0b5f6da1f193d75d693ec432c50bad5e5ddf1e036204/analysis/
Malwr link: https://malwr.com/analysis/YzNkZGQ0MDM2M2Y4NDFlY2EwMDlhMTc1Y2FjOTBkNTI/

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

2014-06-20 16:24:04 UTC - 172.16.253.137:49261 - 88.80.190.66:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
2014-06-20 16:24:06 UTC - 107.181.246.213:80 - 172.16.253.137:49268 - ETPRO CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2807913)
2014-06-20 16:24:06 UTC - 107.181.246.213:80 - 172.16.253.137:49268 - ETPRO CURRENT_EVENTS DRIVEBY Angler EK Landing May 22 2014 (sid:2808076)
2014-06-20 16:24:21 UTC - 107.181.246.213:80 - 172.16.253.137:49268 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 (sid:2017984)
2014-06-20 16:24:40 UTC - 107.181.246.213:80 - 172.16.253.137:49283 - ET TROJAN Angler EK encrypted binary (7) (sid:2018511)

Sourcefire VRT ruleset:

2014-06-20 16:24:04 UTC - 172.16.253.137:49261 - 88.80.190.66:80 - EXPLOIT-KIT Multiple exploit kit redirection gate (sid:30920)

NOTE: These Snort events were taken from Sguil on Security Onion

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAPs: 2014-06-20-Angler-EK-traffic.pcap.zip
ZIP of the malware: 2014-06-20-Angler-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.