2014-10-01 - 32X32 GATE LEADING TO ANGLER EK ON 66.172.27.117 - ASD.CROSSHEADING.US
ASSOCIATED FILES:
- ZIP of the pcap: 2014-10-01-Angler-EK-traffic.pcap.zip
- ZIP of the malware: 2014-10-01-Angler-EK-malware.zip
NOTES:
- Another compromised website with the fake pop-up that generates a 32x32 gate to the Angler exploit kit.
- All of the Angler EK infections I've done lately have been the "fileless" type.
- Only the dropped malware is on the infected VM, so and I've had to extract the Flash exploit and malware payload from the pcap.
- For more info on these fileless infections, see: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 69.195.124.122 - thedogsitterutah.com - Compromised website
- 67.230.162.218 - ecigarettesguide.com - Redirect (32x32 gate)
- 66.172.27.117 - asd.crossheading.us - Angler EK
- Various IP addresses - various domains - Post-infection traffic (see below)
COMPROMISED WEBSITE AND REDIRECT:
- 04:42:34 UTC - 192.168.204.147:49777 - 69.195.124.122:80 - thedogsitterutah.com - GET /
- 04:43:07 UTC - 192.168.204.147:49822 - 67.230.162.218:80 - ecigarettesguide.com - POST /9d1b5208df422355f8b7a23036664b45.php?q=
5c27b23d5e561969496f6936fcaae860
ANGLER EK:
- 04:43:12 - 192.168.204.147:49828 - 66.172.27.117:80 - asd.crossheading.us - GET /1fpeebngto
- 04:43:20 - 192.168.204.147:49830 - 66.172.27.117:80 - asd.crossheading.us - GET /KEHKoiQEo56wMRrvRQUpm8kyjc7lnK4V9_yFjn3VhBP5aTzKU89tqAqI545QlGPx
- 04:43:41 - 192.168.204.147:49833 - 66.172.27.117:80 - asd.crossheading.us - GET /huHOJeuuJfoed4Af96dGvvzmRUL5d1Whhc82A4pN-2Xfb-4j-sv5vYZpWVztoer_
- 04:43:48 - 192.168.204.147:49830 - 66.172.27.117:80 - asd.crossheading.us - GET /Dm17iGorvbaYkkq79msa2xPFekVdI1vBHna3uhDlup9VdkZXPdWCEs6Ja4uETFc7
POST-INFECTION CALLBACK TRAFFIC:
- 04:43:38 UTC - 192.168.204.147:49832 - 208.113.226.171:80 - www.earthtools.org - POST /timezone/0/0
- 04:43:42 UTC - 192.168.204.147:49834 - 23.212.194.20:80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
- 04:43:45 UTC - 192.168.204.147:52929 - 192.168.204.2:53 - DNS query for: tkfdydtzgvohfb.com (did not resolve)
- 04:43:47 UTC - 192.168.204.147:49835 - 188.165.202.162:443 - HTTPS traffic to pkzaafdeizhy.com
- 04:43:59 UTC - 192.168.204.147:49837 - 188.165.202.162:443 - HTTPS traffic to pkzaafdeizhy.com
- 04:44:18 UTC - 192.168.204.147:49838 - 91.194.254.234:80 - homeinfo.cc - POST /common/manual.php
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2014-10-01-Angler-EK-flash-exploit.swf
File size: 75.2 KB ( 77010 bytes )
MD5 hash: ccb4ba9149121353c0424c4027c76328
Detection ratio: 3 / 55
First submission: 2014-09-30 21:50:25 UTC
VirusTotal link: https://www.virustotal.com/en/file/5386c90e2bd6acceea7fceca30815bb696567056eeb6a25f764c4737650b5f23/analysis/
MALWARE PAYLOAD:
File name: 2014-10-01-Angler-EK-malware-payload.dll
File size: 168.8 KB ( 172872 bytes )
MD5 hash: 91a5902a8cba2584228a15e7f959c1f9
Detection ratio: 30 / 55
First submission: 2014-09-28 06:06:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/41f58c8e4337b445d67a399e7841362a557ccbb866ef3a881638a38667e2b934/analysis/
DROPPED FILE:
File name: DXM_Runtime.pif
File size: 60.0 KB ( 61440 bytes )
MD5 hash: 3b2f182d8df7b8b7ff8c97c2ac039310
Detection ratio: 7 / 55
First submission: 2014-10-01 05:30:28 UTC
VirusTotal link: https://www.virustotal.com/en/file/f2259b8871b81cbc4c6ee9d69c53453dbb8c6e1081dc2b18a99024e61c2b5bba/analysis/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-10-01 04:43:07 UTC - 192.168.204.147:49822 - 67.230.162.218:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
- 2014-10-01 04:43:13 UTC - 66.172.27.117:80 - 192.168.204.147:49828 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
- 2014-10-01 04:43:21 UTC - 66.172.27.117:80 - 192.168.204.147:49830 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
- 2014-10-01 04:44:18 UTC - 192.168.204.147:49838 - 91.194.254.234:80 - ETPRO TROJAN PWS-Zbot-FANF Checkin (sid:2807194)
- 2014-10-01 04:44:18 UTC - 192.168.204.147:49838 - 91.194.254.234:80 - ET TROJAN Zbot UA (sid:2015780)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):
- 2014-10-01 04:43:07 UTC - 192.168.204.147:49822 - 67.230.162.218:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
- 2014-10-01 04:43:21 UTC - 66.172.27.117:80 - 192.168.204.147:49830 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
- 2014-10-01 04:43:43 UTC - 66.172.27.117:80 - 192.168.204.147:49833 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
- 2014-10-01 04:44:16 UTC - 192.168.204.147:57763 - 192.168.204.2:53 - [1:28190:3] INDICATOR-COMPROMISE Suspicious .cc dns query (x2)
- 2014-10-01 04:44:18 UTC - 192.168.204.147:49838 - 91.194.254.234:80 - [1:25652:3] MALWARE-CNC Win.Trojan.Kryptic variant outbound connection
SCREENSHOTS FROM THE TRAFFIC
Malicious in page from compromised website:
32x32 gate redirecting to Angler EK:
Angler EK delivers the obfuscated malware payload:
Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:
Carve out the binary, and it appears the de-obfuscation worked:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-10-01-Angler-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-10-01-Angler-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.