2014-10-01 - 32X32 GATE LEADING TO ANGLER EK ON 66.172.27[.]117 - ASD.CROSSHEADING[.]US

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-01-Angler-EK-traffic.pcap.zip
• 2014-10-01-Angler-EK-malware.zip

 

NOTES:

• Another compromised website with the fake pop-up that generates a 32x32 gate to the Angler exploit kit.
• All of the Angler EK infections I've done lately have been the "fileless" type.
• Only the dropped malware is on the infected VM, so and I've had to extract the Flash exploit and malware payload from the pcap.
• For more info on these fileless infections, see: https://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 69.195.124[.]122 - thedogsitterutah[.]com - Compromised website
• 67.230.162[.]218 - ecigarettesguide[.]com - Redirect (32x32 gate)
• 66.172.27[.]117 - asd.crossheading[.]us - Angler EK
• Various IP addresses - various domains - Post-infection traffic (see below)

 

COMPROMISED WEBSITE AND REDIRECT:

• 04:42:34 UTC - 69.195.124[.]122:80 - thedogsitterutah[.]com - GET /
• 04:43:07 UTC - 67.230.162[.]218:80 - ecigarettesguide[.]com - POST /9d1b5208df422355f8b7a23036664b45.php?q=
  5c27b23d5e561969496f6936fcaae860

 

ANGLER EK:

• 04:43:12 - 66.172.27[.]117:80 - asd.crossheading[.]us - GET /1fpeebngto
• 04:43:20 - 66.172.27[.]117:80 - asd.crossheading[.]us - GET /KEHKoiQEo56wMRrvRQUpm8kyjc7lnK4V9_yFjn3VhBP5aTzKU89tqAqI545QlGPx
• 04:43:41 - 66.172.27[.]117:80 - asd.crossheading[.]us - GET /huHOJeuuJfoed4Af96dGvvzmRUL5d1Whhc82A4pN-2Xfb-4j-sv5vYZpWVztoer_
• 04:43:48 - 66.172.27[.]117:80 - asd.crossheading[.]us - GET /Dm17iGorvbaYkkq79msa2xPFekVdI1vBHna3uhDlup9VdkZXPdWCEs6Ja4uETFc7

 

POST-INFECTION CALLBACK TRAFFIC:

• 04:43:38 UTC - www.earthtools[.]org - POST /timezone/0/0
• 04:43:42 UTC - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 04:43:45 UTC - [internal host]:53 - DNS query for: tkfdydtzgvohfb[.]com (did not resolve)
• 04:43:47 UTC - 188.165.202[.]162:443 - HTTPS traffic to pkzaafdeizhy[.]com
• 04:43:59 UTC - 188.165.202[.]162:443 - HTTPS traffic to pkzaafdeizhy[.]com
• 04:44:18 UTC - 91.194.254[.]234:80 - homeinfo[.]cc - POST /common/manual.php

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-01-Angler-EK-flash-exploit.swf
File size:  77,010 bytes
MD5 hash:  ccb4ba9149121353c0424c4027c76328
Detection ratio:  3 / 55
First submission:  2014-09-30 21:50:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5386c90e2bd6acceea7fceca30815bb696567056eeb6a25f764c4737650b5f23/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-01-Angler-EK-malware-payload.dll
File size:  172,872 bytes
MD5 hash:  91a5902a8cba2584228a15e7f959c1f9
Detection ratio:  30 / 55
First submission:  2014-09-28 06:06:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41f58c8e4337b445d67a399e7841362a557ccbb866ef3a881638a38667e2b934/analysis/

 

DROPPED FILE:

File name:  DXM_Runtime.pif
File size:  61,440 bytes
MD5 hash:  3b2f182d8df7b8b7ff8c97c2ac039310
Detection ratio:  7 / 55
First submission:  2014-10-01 05:30:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f2259b8871b81cbc4c6ee9d69c53453dbb8c6e1081dc2b18a99024e61c2b5bba/analysis/

 

SIGNATURE EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-01 04:43:07 UTC - 67.230.162[.]218:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
• 2014-10-01 04:43:13 UTC - 66.172.27[.]117:80 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 2014-10-01 04:43:21 UTC - 66.172.27[.]117:80 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-10-01 04:44:18 UTC - 91.194.254[.]234:80 - ETPRO TROJAN PWS-Zbot-FANF Checkin (sid:2807194)
• 2014-10-01 04:44:18 UTC - 91.194.254[.]234:80 - ET TROJAN Zbot UA (sid:2015780)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-10-01 04:43:07 UTC - 67.230.162[.]218:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
• 2014-10-01 04:43:21 UTC - 66.172.27[.]117:80 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-01 04:43:43 UTC - 66.172.27[.]117:80 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-10-01 04:44:16 UTC - [internal host]:53 - [1:28190:3] INDICATOR-COMPROMISE Suspicious .cc dns query (x2)
• 2014-10-01 04:44:18 UTC - 91.194.254[.]234:80 - [1:25652:3] MALWARE-CNC Win.Trojan.Kryptic variant outbound connection

 

SCREENSHOTS FROM THE TRAFFIC

Malicious in page from compromised website:

 

32x32 gate redirecting to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

Click here to return to the main page.