2014-10-06 - ROTATOR GENERATES ANGLER EK ON 5.135.230.183 7DWS8YZ0K2.SDIOUVB.COM

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-06-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-06-Angler-EK-malware.zip

 

NOTES:

• Shout out to @thesyntx, who notified me of two rotator URLs for Angler EK traffic.
• I couldn't generate an infection using the URL at arbuz35.eu, but I managed to infect a VM from the piealy.com rotator.



• As usual, all Angler EK infections I've seen lately are "fileless."
• For more info on these fileless infections, see:  http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 66.85.190.227 - piealy.com - Angler EK rotator
• 5.135.230.183 - 7dws8yz0k2.sdiouvb.com - Angler EK
• Post-infection traffic (see below)

 

ROTATOR AND ANGLER EK:

• 19:53:34 UTC - 66.85.190.227:80 - piealy.com - GET /dist/video.php
• 19:53:34 UTC - 5.135.230.183:80 - 7dws8yz0k2.sdiouvb.com - GET /11lbed8ij7
• 19:53:39 UTC - 5.135.230.183:80 - 7dws8yz0k2.sdiouvb.com - GET /4MDo9ydNKQ0eG-HGf_23ZE9U2b-PLtvgMg1R8JIM7ccHUOTYUQaSzeMZXv6OLQPv
• 19:53:42 UTC - 5.135.230.183:80 - 7dws8yz0k2.sdiouvb.com - GET /saUN83VG9V8R4988xmj2cGKRK6MLtZEN_xQ0QBgLll1R6V6cNdIO5mejTgS8AJmZ

 

POST-INFECTION TRAFFIC:

• 19:53:42 UTC - 192.168.204.139:49162 - 208.113.226.171:80 - www.earthtools.org - POST /timezone/0/0
• 19:53:42 UTC - 192.168.204.139:49163 - 23.46.232.11:80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

• 19:53:43 UTC - 192.168.204.139:55201 - 192.168.204.2:53 - DNS query for: cnggcrqicplruiki9.com
• 19:53:43 UTC - 192.168.204.139:53732 - 192.168.204.2:53 - DNS query for: eqpmlnqzadirebb97.com
• 19:53:43 UTC - 192.168.204.139:63833 - 192.168.204.2:53 - DNS query for: qykilulsnqgp.com
• 19:53:43 UTC - 192.168.204.139:65118 - 192.168.204.2:53 - DNS query for: pfohvgsdiry4b.com
• 19:53:43 UTC - 192.168.204.139:57219 - 192.168.204.2:53 - DNS query for: peelwrxokklnm3.com
• 19:53:43 UTC - 192.168.204.139:62102 - 192.168.204.2:53 - DNS query for: pkokklwtotfyyn70.com
• 19:53:43 UTC - 192.168.204.139:61269 - 192.168.204.2:53 - DNS query for: syrlplnxefighd.com
• 19:53:43 UTC - 192.168.204.139:55164 - 192.168.204.2:53 - DNS query for: crovoylaolerc.com
• 19:53:44 UTC - 192.168.204.139:51892 - 192.168.204.2:53 - DNS query for: dkducygdmscuseds.com
• 19:53:44 UTC - 192.168.204.139:61270 - 192.168.204.2:53 - DNS query for: wfyycttwlwgp3m.com
• 19:53:44 UTC - 192.168.204.139:51071 - 192.168.204.2:53 - DNS query for: rzmluerezlxyxj8e.com
• 19:53:44 UTC - 192.168.204.139:50514 - 192.168.204.2:53 - DNS query for: tocjvqvkkq4p.com
• 19:53:44 UTC - 192.168.204.139:various - 192.168.204.2:53 - DNS query for: zmhudpckkhdzcmhm23.com
• 19:53:45 UTC - 192.168.204.2:53 - 192.168.204.139:various - DNS response: zmhudpckkhdzcmhm23.com is at 188.165.240.108
• 19:53:45 UTC - 192.168.204.139:49165 - 188.165.240.108:443 - Attempted TCP connection (RST by the server)
• 19:53:50 UTC - 192.168.204.139:62397 - 192.168.204.2:53 - DNS query for: qnteykwtavpanj.com
• 19:53:50 UTC - 192.168.204.139:58193 - 192.168.204.2:53 - DNS query for: zykdbxbobhldax.com
• 19:53:50 UTC - 192.168.204.139:56488 - 192.168.204.2:53 - DNS query for: jnlpccqtsfgheyc8.com
• 19:53:50 UTC - 192.168.204.139:60194 - 192.168.204.2:53 - DNS query for: qagrklwtsxq78.com
• 19:53:50 UTC - 192.168.204.139:58469 - 192.168.204.2:53 - DNS query for: xynwchkjgelf0y.com
• 19:53:51 UTC - 192.168.204.139:55537 - 192.168.204.2:53 - DNS query for: xrknffpztdpl6g.com
• 19:53:51 UTC - 192.168.204.139:various - 192.168.204.2:53 - DNS query for: zvrohnmtkxizjrftj.com
• 19:53:51 UTC - 192.168.204.2:53 - 192.168.204.139:various - DNS response: zvrohnmtkxizjrftj.com is at 188.165.240.108
• 19:53:51 UTC - 192.168.204.139:49166 - 188.165.240.108:443 - Attempted TCP connection (RST by the server)
• 19:53:57 UTC - 192.168.204.139:60976 - 192.168.204.2:53 - DNS query for: gwciuyefnodwp.com
• 19:53:57 UTC - 192.168.204.139:57202 - 192.168.204.2:53 - DNS query for: vtmhsldtacooykt8q.com

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-06-Angler-EK-flash-exploit.swf
File size:  75.6 KB ( 77368 bytes )
MD5 hash:  2e77d618382e1420313e9f06047e1e61
Detection ratio:  1 / 54
First submission:  2014-10-06 10:50:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb19baf6a4b65534bfafdb72694967290d6d5f60bd0c4ddbd282f25b878b07d3/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-06-Angler-EK-malware-payload.dll
File size:  169.0 KB ( 173008 bytes )
MD5 hash:  f567643c24d8ca31741172135a47ec61
Detection ratio:  19 / 53
First submission:  2014-10-06 20:06:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e8465f9af2398605658f54bb3529de67f0c242245fb10979c5a0b1cb419b5b2d/analysis/
Malwr link:  https://malwr.com/analysis/N2YxZTc0ODFmZTk3NGM4ZTk5Y2U2MDljZWQ3NDY4ODk/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-06 19:53:35 UTC - 5.135.230.183:80 - 192.168.204.139:49160 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-10-06 19:53:39 UTC - 5.135.230.183:80 - 192.168.204.139:49161 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):

• 2014-10-06 19:53:35 UTC - 5.135.230.183:80 - 192.168.204.139:49160 - [1:31898:1] EXPLOIT-KIT Angler exploit kit landing page detected
• 2014-10-06 19:53:39 UTC - 5.135.230.183:80 - 192.168.204.139:49161 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-06 19:53:42 UTC - 5.135.230.183:80 - 192.168.204.139:49160 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download

 

HIGHLIGHTS FROM THE TRAFFIC

Rotator pointing to Angler EK:

 

Angler EK delivering malware payload.  The shellcode and malicious binary are sent together, XOR-ed with the ASCII string: adR2b4nh

 

Deobfuscate the payload, and you can see where the shellcode ends and the malicious binary begins:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-06-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-10-06-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.