2014-10-30 - 32X32 GATE LEADS TO ANGLER EK - NO FAKE POP-UP AS SEEN BEFORE WITH THESE 32X32 GATES
ASSOCIATED FILES:
- ZIP of the pcap: 2014-10-30-Angler-EK-traffic.pcap.zip
- ZIP of the malware: 2014-10-30-Angler-EK-malware.zip
NOTES:
- Previously, I only saw 32x32 gates with a fake pop-up window, most recently documented on 2014-10-01.
- Today, there was no pop-up window--instead, a Flash file was used in conjuction with the 32x32 gate.
- See the screenshots below for details.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 122.201.118.15:80 - watsonsbayhotel.com.au - Compromised website
- 212.97.132.153 - kj-invest.com - provides Flash used with 32x32 gate
- 184.168.204.1 - newfamilynutrition.com - 32x32 gate
- 208.76.52.55 - qwe.leucaenaleucocephalaporno.net - Angler EK
- various IP addresses - post-infection traffic - see below
COMPROMISED WEBSITE:
- 12:36:55 UTC - 192.168.204.141:49328 - 122.201.118.15:80 - watsonsbayhotel.com.au - GET /
FLASH FILE AND 32X32 GATE:
- 12:37:08 UTC - 192.168.204.141:49352 - 212.97.132.153:80 - kj-invest.com - GET /2de96bd378d6e6614297e27284fdb335.swf
- 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - newfamilynutrition.com - POST /c9e9975e0f51af3ce1354090fb303d8e.php?q=
87086c5336208ce7836edca90ecc8d25
ANGLER EK:
- 12:37:17 UTC - qwe.leucaenaleucocephalaporno.net - GET /7xibe37z48
- 12:37:26 UTC - qwe.leucaenaleucocephalaporno.net - GET /4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
- 12:37:37 UTC - qwe.leucaenaleucocephalaporno.net - GET /u-mU9vZe-_GNefFwlNYX6lIEN34g8x7Ul41a1MkBxsRG8I2GUvo1GhRV1n9fn9G8
- 12:37:47 UTC - qwe.leucaenaleucocephalaporno.net - GET /7iEM_ztBDM2w9vg0xVKdfpJGf5xRNOXc1TxsaPGLFb3RoEBNnOhxQQ34cvEfWZ6W
- 12:37:48 UTC - qwe.leucaenaleucocephalaporno.net - GET /543tBS48IOu6n62yq1_fqmDQGmfGyQA5U5PR7fI5msXa_W-t2wohzDpVvuje5MPf
- 12:38:07 UTC - qwe.leucaenaleucocephalaporno.net - GET /SNCbVkwM787Yd4m2a6_n0BN3UcBI4N-mBv23JmCnjGIa02cakAh_ETPbWaqdj1Fv
POST-INFECTION TRAFFIC:
- 12:37:35 192.168.204.141:49359 - 208.113.226.171:80 - www.earthtools.org - POST /timezone/0/0
- 12:37:38 UTC - 192.168.204.141:49361 - 23.222.70.93:80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
- 12:37:51 UTC - 192.168.204.141:64812 - 192.168.204.2:53 - DNS query for: exwpyvpsfslxqpklm.com (No such name)
- 12:37:57 UTC - 192.168.204.141:64287 - 192.168.204.2:53 - DNS query for: dbirbrdyrfhbem7.com (No such name)
- 12:37:58 UTC - 192.168.204.141:52810 - 192.168.204.2:53 - DNS query for: fjspitysjthgyjut.com (No such name)
- 12:38:01 UTC - 192.168.204.141:52684 - 192.168.204.2:53 - DNS query for: nafreasaozpckabb2.com (No such name)
- 12:38:02 UTC - 192.168.204.141:53297 - 192.168.204.2:53 - DNS query for: zeyepwsksqepmxmgt6.com (No such name)
- 12:38:02 UTC - 192.168.204.141:61305 - 192.168.204.2:53 - DNS query for: xevumdeninsk1.com (No such name)
- 12:38:03 UTC - 192.168.204.141:55659 - 192.168.204.2:53 - DNS query for: xwrobptfqcdzpxp8.com (No such name)
- 12:38:04 UTC - 192.168.204.141:51474 - 192.168.204.2:53 - DNS query for: adisgbbajbjokvr.com (No such name)
- 12:38:04 UTC - 192.168.204.141:56175 - 192.168.204.2:53 - DNS query for: idiexymtmrcxvg.com (No such name)
- 12:38:05 UTC - 192.168.204.141:62667 - 192.168.204.2:53 - DNS query for: gnrsypvuwbisjzxya.com (No such name)
- 12:38:06 UTC - 192.168.204.141:63437 - 192.168.204.2:53 - DNS query for: kqvohmvyfjbwsjrcpx.com (No such name)
- 12:38:06 UTC - 192.168.204.141:63243 - 192.168.204.2:53 - DNS query for: oaeyopqpwmctvstgrv.com (No such name)
- 12:38:07 UTC - 192.168.204.141:63406 - 192.168.204.2:53 - DNS query for: kahljvupkglp.com (resolved to 85.25.211.252)
- 12:38:09 UTC - 192.168.204.141:49379 - 85.25.211.252:443 - HTTPS traffic to kahljvupkglp.com
- 12:38:26 UTC - 192.168.204.141:49381 - 85.25.211.252:443 - HTTPS traffic to kahljvupkglp.com
- 12:47:57 UTC - 192.168.204.141:64875 - 192.168.204.2:53 - DNS query for: indalusia.com (resolved to 134.19.180.30)
- 12:47:58 UTC - 192.168.204.141:49382 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
- 12:48:15 UTC - 192.168.204.141:49384 - 93.158.134.11:80 - yandex.ru - GET /
- 12:48:17 UTC - 192.168.204.141:49385 - 93.158.134.3:80 - www.yandex.ru - GET /
- 12:48:50 UTC - 192.168.204.141:49388 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
- 12:48:54 UTC - 192.168.204.141:49389 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
- 12:49:00 UTC - 192.168.204.141:49390 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
- 12:49:12 UTC - 192.168.204.141:49391 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
- 12:49:24 UTC - 192.168.204.141:49392 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
- 12:49:36 UTC - 192.168.204.141:49393 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
- 12:49:48 UTC - 192.168.204.141:49394 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-10-30-Angler-EK-flash-exploit.swf
File size: 85.3 KB ( 87352 bytes )
MD5 hash: 23812c5a1d33c9ce61b0882f860d79d6
Detection ratio: 3 / 54
First submission: 2014-10-29 10:25:53 UTC
VirusTotal link: https://www.virustotal.com/en/file/4d29e6e210483817f5a203f8952f9add016bd334d96cd408021a22d8ed43fd66/analysis/
JAVA EXPLOIT
File name: 2014-10-30-Angler-EK-java-exploit.jar
File size: 28.1 KB ( 28769 bytes )
MD5 hash: ed39baded73b3b363d37b6715eba5e47
Detection ratio: 14 / 53
First submission: 2014-10-22 20:11:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/
MALWARE PAYLOAD
File name: 2014-10-30-Angler-EK-malware-payload.dll
File size: 168.9 KB ( 172944 bytes )
MD5 hash: ad666429dfe01397cb331ae4a1aa53bb
Detection ratio: 23 / 53
First submission: 2014-10-30 15:14:54 UTC
VirusTotal link: https://www.virustotal.com/en/file/3c81e1d4550d451c8140c9d4c94fd13ef1886c1aee26f914b9da541a7b3ffd25/analysis/
Malwr.com: https://malwr.com/analysis/MjIwODUyZTMzN2QzNDdhYzljOTU4Yjc4MjBkMjlmM2U/
FOLLOW-UP MALWARE
- Downloaded as: stonepacific.in - GET /ivetta/not.exe (MD5 hash: 4adbf26312d2396def56939fbb204a05)
- Saved to the infected VM as: C:\ProgramData\Windows Genuine Advantage\{B5A81EAD-A1DB-4B01-99A6-E7C61DFD2289}\msiexec.exe
(MD5 hash also: 4adbf26312d2396def56939fbb204a05) - When run, copies itself to: C:\Users\User-1\AppData\Roaming\Ydvon\cydoo.exe (new MD5 hash: c9f3dddb423b761e401ec6459f1e0733)
File name: msiexec.exe
File size: 308.5 KB ( 315904 bytes )
MD5 hash: 4adbf26312d2396def56939fbb204a05
Detection ratio: 3 / 53
First submission: 2014-10-30 15:17:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/15f2f44137fdd1d0f754a37ae3ad807fc47daed45f9c7effc5cab200fa4a22b8/analysis/
Malwr.com: https://malwr.com/analysis/YjlmODViZDEzMjk2NDJlZWI3OTM3NzZiMmE3YTkyMDQ/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-10-30 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
- 2014-10-30 12:37:19 UTC - 208.76.52.55:80 - 192.168.204.141:49357 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
- 2014-10-30 12:37:19 UTC - 208.76.52.55:80 - 192.168.204.141:49357 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
- 2014-10-30 12:37:28 UTC - 208.76.52.55:80 - 192.168.204.141:49358 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
- 2014-10-30 12:37:37 UTC - 192.168.204.141:49360 - 208.76.52.55:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
- 2014-10-30 12:37:48 UTC - 192.168.204.141:49364 - 208.76.52.55:80 - ET CURRENT_EVENTS Angler EK Java Exploit URI Struct (sid:2019514)
- 2014-10-30 12:38:07 UTC - 192.168.204.2:53 - 192.168.204.141:63243 - 1ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)
- 2014-10-30 12:49:00 UTC - 192.168.204.141:49390 - 109.236.87.219:80 - ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe (sid:2018403)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):
- 2014-10-30 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
- 2014-10-30 12:37:28 UTC - 208.76.52.55:80 - 192.168.204.141:49358 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
- 2014-10-30 12:37:38 UTC - 208.76.52.55:80 - 192.168.204.141:49360 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
- 2014-10-30 12:49:01 UTC - 109.236.87.219:80 - 192.168.204.141:49390 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 12:49:01 UTC - 109.236.87.219:80 - 192.168.204.141:49390 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-10-30 12:49:13 UTC - 109.236.87.219:80 - 192.168.204.141:49391 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 12:49:13 UTC - 109.236.87.219:80 - 192.168.204.141:49391 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-10-30 12:49:24 UTC - 109.236.87.219:80 - 192.168.204.141:49392 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 12:49:24 UTC - 109.236.87.219:80 - 192.168.204.141:49392 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-10-30 12:49:37 UTC - 109.236.87.219:80 - 192.168.204.141:49393 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 12:49:37 UTC - 109.236.87.219:80 - 192.168.204.141:49393 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-10-30 12:49:48 UTC - 109.236.87.219:80 - 192.168.204.141:49394 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 12:49:48 UTC - 109.236.87.219:80 - 192.168.204.141:49394 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
SCREENSHOTS FROM THE TRAFFIC
Malicious script in page from compromised website:
Flash file and 32x32 gate redirecting to Angler EK:
Angler EK delivers the obfuscated malware payload:
Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:
Carve out the binary, and it appears the de-obfuscation worked:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-10-30-Angler-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-10-30-Angler-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.