2014-10-02 - ANGLER EK FROM 66.172.27.117 - ASD.BINGEVOMITSYNDROMESEXY.NET

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-02-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-02-Angler-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 151.1.158.86 - ospedalesantamaria.it - Compromised website
• 148.251.56.156 - fix-mo.tk - Redirect
• 66.172.27.117 - asd.bingevomitsyndromesexy.net - Angler EK
• Various IP addresse - various domains - Post-infection traffic

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 15:12:36 UTC - ospedalesantamaria.it - GET /
• 15:12:38 UTC - ospedalesantamaria.it - GET /en/
• 15:12:44 UTC - fix-mo.tk - GET /player.php?pid=425AB2B199B5331C7BB259E275C1623A1FAC0EE4FAEC782202204B8E05FD73FD87815A
• 15:12:47 UTC - fix-mo.tk - GET /video.php?id=425AB2B199B5331C7BB259E275C1623A1FAC0EE4FAEC782202204B8E05FD73FD87815A

 

ANGLER EK:

• 15:12:48 UTC - asd.bingevomitsyndromesexy.net - GET /dkla91nj38
• 15:12:52 UTC - asd.bingevomitsyndromesexy.net - GET /u-TsUQca68F6SGo2_pJ76MsW_z6XOJNTmk6lRYAo1cMR1iyc6wgP82-MrctQSNqE
• 15:12:57 UTC - asd.bingevomitsyndromesexy.net - GET /dAyVcRNwzMipaYNZgNf6euHH6090UvPcTRWUNJnjX3O4YAnmznOk2-yPz8xAhp29
• 15:13:01 UTC - asd.bingevomitsyndromesexy.net - GET /aFCQqy3BOnBsKgquOrGn6wXoLet0ODZkLfrCBNA9ki18XXAWt1ZG_Wieec9a7z0N

 

POST-INFECTION TRAFFIC:

• 15:12:57 UTC - 192.168.204.148:49882 - 94.229.164.169:80 - ingimex.com - POST /
• 15:12:58 UTC - 192.168.204.148:49883 - 84.95.248.125:80 - mavlet.com - POST /
• 15:12:58 UTC - 192.168.204.148:49884 - 181.224.152.217:80 - raboo.com - POST /
• 15:12:58 UTC - 192.168.204.148:49886 - 212.103.94.10:80 - aiglon.ch - POST /
• 15:12:58 UTC - 192.168.204.148:49888 - 91.204.149.25:80 - vrad.spb.ru - POST /
• 15:12:58 UTC - 192.168.204.148:49887 - 74.81.186.49:80 - tndha.org - POST /
• 15:12:58 UTC - 192.168.204.148:49882 - 94.229.164.169:80 - ingimex.com - POST /
• 15:12:58 UTC - 192.168.204.148:49885 - 103.21.58.244:80 - rmcet.com - POST /
• 15:12:58 UTC - 192.168.204.148:49889 - 186.202.126.213:80 - dujua.com.br - POST /
• 15:12:58 UTC - 192.168.204.148:49884 - 181.224.152.217:80 - raboo.com - POST /
• 15:12:58 UTC - 192.168.204.148:49883 - 84.95.248.125:80 - mavlet.com - POST /
• 15:12:58 UTC - 192.168.204.148:49890 - 219.94.129.195:80 - mlc-edu.com - POST /
• 15:12:58 UTC - 192.168.204.148:49891 - 5.135.250.122:80 - sdcea.org - POST /
• 15:12:59 UTC - 192.168.204.148:49890 - 219.94.129.195:80 - mlc-edu.com - POST /
• 15:12:59 UTC - 192.168.204.148:49892 - 67.220.209.116:80 - cdnins.com - POST /
• 15:12:59 UTC - 192.168.204.148:49893 - 207.58.182.49:80 - dilmar.com - POST /
• 15:12:59 UTC - 192.168.204.148:49894 - 65.107.59.68:80 - lvcpa.biz - POST /
• 15:12:59 UTC - 192.168.204.148:49898 - 91.142.245.67:80 - sie-mar.com - POST /
• 15:12:59 UTC - 192.168.204.148:49893 - 207.58.182.49:80 - dilmar.com - POST /
• 15:12:59 UTC - 192.168.204.148:49895 - 69.94.125.52:80 - hostings.com - POST /
• 15:12:59 UTC - 192.168.204.148:49896 - 70.34.33.191:80 - restpro.com - POST /
• 15:12:59 UTC - 192.168.204.148:49897 - 207.178.244.196:80 - mjrcpas.com - POST /
• 15:13:00 UTC - 192.168.204.148:49901 - 213.198.78.226:80 - com-sit.com - POST /
• 15:13:00 UTC - 192.168.204.148:49900 - 70.32.76.86:80 - pcg.com - POST /
• 15:13:00 UTC - 192.168.204.148:49902 - 67.43.0.183:80 - oiart.org - POST /
• 15:13:00 UTC - 192.168.204.148:49899 - 202.67.10.155:80 - akr.co.id - POST /
• 15:13:00 UTC - 192.168.204.148:49903 - 74.86.82.253:80 - kitadol.com - POST /
• 15:13:00 UTC - 192.168.204.148:49904 - 213.198.78.226:80 - com-sit.com - POST /
• 15:13:01 UTC - 192.168.204.148:49905 - 87.98.234.130:80 - wigor.com.pl - POST /
• 15:13:01 UTC - 192.168.204.148:49908 - 5.9.60.213:80 - fbchh.org - POST /
• 15:13:01 UTC - 192.168.204.148:49906 - 195.230.181.117:80 - fsk.at - POST /
• 15:13:01 UTC - 192.168.204.148:49909 - 64.207.144.34:80 - x1.com - POST /
• 15:13:01 UTC - 192.168.204.148:49907 - 206.47.93.124:80 - mgs.tv - POST /
• 15:13:01 UTC - 192.168.204.148:49910 - 23.235.228.162:80 - masph.com - POST /
• 15:13:01 UTC - 192.168.204.148:49911 - 78.189.184.192:80 - adf.org.tr - POST /
• 15:13:02 UTC - 192.168.204.148:49912 - 212.97.33.117:80 - oreggia.com - POST /
• 15:13:02 UTC - 192.168.204.148:49913 - 64.14.74.41:80 - abdg.com - POST /
• 15:13:02 UTC - 192.168.204.148:49914 - 5.135.76.168:80 - frimeset.com - POST /

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-02-Angler-EK-flash-exploit.swf
File size:  75.2 KB ( 77010 bytes )
MD5 hash:  ccb4ba9149121353c0424c4027c76328
Detection ratio:  3 / 55
First submission:  2014-09-30 21:50:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5386c90e2bd6acceea7fceca30815bb696567056eeb6a25f764c4737650b5f23/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-02-Angler-EK-malware-payload.exe
File size:  81.2 KB ( 83192 bytes )
MD5 hash:  8f81161ea6fb29fb27f0ec4aecbee177
Detection ratio:  5 / 55
First submission:  2014-10-02 14:02:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2b7351c4975b6df7d05baa53eaf0a47ff7ef3d5a8e3884850aa38838ae256413/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-02 15:12:49 UTC - 66.172.27.117:80 - 192.168.204.148:49879 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 2014-10-02 15:12:54 UTC - 66.172.27.117:80 - 192.168.204.148:49880 - ET CURRENT_EVENTS Angler EK encrypted binary (6) (sid:2018510)
• 2014-10-02 15:12:57 UTC - 192.168.204.148:49882 - 94.229.164.169:80 - ET TROJAN Backdoor.Win32.Pushdo.s Checkin (sid:2016867)
• 2014-10-02 15:13:02 UTC - 5.135.76.168:80 - 192.168.204.148:49914 - ET TROJAN Pushdo.S CnC response (sid:2018897)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-10-02 15:12:54 UTC - 66.172.27.117:80 - 192.168.204.148:49880 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-02 15:12:54 UTC - 66.172.27.117:80 - 192.168.204.148:49880 - [1:31331:1] EXPLOIT-KIT Angler exploit kit encrypted binary download

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Redirect pointing to Angler EK:

 

Angler EK delivers the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-02-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-10-02-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.