2014-10-30 - 32X32 GATE LEADS TO ANGLER EK - NO FAKE POP-UP AS SEEN BEFORE WITH THESE 32X32 GATES

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-30-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-30-Angler-EK-malware.zip

NOTES:

• Previously, I only saw 32x32 gates with a fake pop-up window, most recently documented on 2014-10-01.
• Today, there was no pop-up window--instead, a Flash file was used in conjuction with the 32x32 gate.
• See the screenshots below for details.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 122.201.118.15:80 - watsonsbayhotel.com.au - Compromised website
• 212.97.132.153 - kj-invest.com - provides Flash used with 32x32 gate
• 184.168.204.1 - newfamilynutrition.com - 32x32 gate
• 208.76.52.55 - qwe.leucaenaleucocephalaporno.net - Angler EK
• various IP addresses - post-infection traffic - see below

 

COMPROMISED WEBSITE:

• 12:36:55 UTC - 192.168.204.141:49328 - 122.201.118.15:80 - watsonsbayhotel.com.au - GET /

 

FLASH FILE AND 32X32 GATE:

• 12:37:08 UTC - 192.168.204.141:49352 - 212.97.132.153:80 - kj-invest.com - GET /2de96bd378d6e6614297e27284fdb335.swf
• 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - newfamilynutrition.com - POST /c9e9975e0f51af3ce1354090fb303d8e.php?q=
  87086c5336208ce7836edca90ecc8d25

 

ANGLER EK:

• 12:37:17 UTC - qwe.leucaenaleucocephalaporno.net - GET /7xibe37z48
• 12:37:26 UTC - qwe.leucaenaleucocephalaporno.net - GET /4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
• 12:37:37 UTC - qwe.leucaenaleucocephalaporno.net - GET /u-mU9vZe-_GNefFwlNYX6lIEN34g8x7Ul41a1MkBxsRG8I2GUvo1GhRV1n9fn9G8
• 12:37:47 UTC - qwe.leucaenaleucocephalaporno.net - GET /7iEM_ztBDM2w9vg0xVKdfpJGf5xRNOXc1TxsaPGLFb3RoEBNnOhxQQ34cvEfWZ6W
• 12:37:48 UTC - qwe.leucaenaleucocephalaporno.net - GET /543tBS48IOu6n62yq1_fqmDQGmfGyQA5U5PR7fI5msXa_W-t2wohzDpVvuje5MPf
• 12:38:07 UTC - qwe.leucaenaleucocephalaporno.net - GET /SNCbVkwM787Yd4m2a6_n0BN3UcBI4N-mBv23JmCnjGIa02cakAh_ETPbWaqdj1Fv

 

POST-INFECTION TRAFFIC:

• 12:37:35 192.168.204.141:49359 - 208.113.226.171:80 - www.earthtools.org - POST /timezone/0/0
• 12:37:38 UTC - 192.168.204.141:49361 - 23.222.70.93:80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

• 12:37:51 UTC - 192.168.204.141:64812 - 192.168.204.2:53 - DNS query for: exwpyvpsfslxqpklm.com (No such name)
• 12:37:57 UTC - 192.168.204.141:64287 - 192.168.204.2:53 - DNS query for: dbirbrdyrfhbem7.com (No such name)
• 12:37:58 UTC - 192.168.204.141:52810 - 192.168.204.2:53 - DNS query for: fjspitysjthgyjut.com (No such name)
• 12:38:01 UTC - 192.168.204.141:52684 - 192.168.204.2:53 - DNS query for: nafreasaozpckabb2.com (No such name)
• 12:38:02 UTC - 192.168.204.141:53297 - 192.168.204.2:53 - DNS query for: zeyepwsksqepmxmgt6.com (No such name)
• 12:38:02 UTC - 192.168.204.141:61305 - 192.168.204.2:53 - DNS query for: xevumdeninsk1.com (No such name)
• 12:38:03 UTC - 192.168.204.141:55659 - 192.168.204.2:53 - DNS query for: xwrobptfqcdzpxp8.com (No such name)
• 12:38:04 UTC - 192.168.204.141:51474 - 192.168.204.2:53 - DNS query for: adisgbbajbjokvr.com (No such name)
• 12:38:04 UTC - 192.168.204.141:56175 - 192.168.204.2:53 - DNS query for: idiexymtmrcxvg.com (No such name)
• 12:38:05 UTC - 192.168.204.141:62667 - 192.168.204.2:53 - DNS query for: gnrsypvuwbisjzxya.com (No such name)
• 12:38:06 UTC - 192.168.204.141:63437 - 192.168.204.2:53 - DNS query for: kqvohmvyfjbwsjrcpx.com (No such name)
• 12:38:06 UTC - 192.168.204.141:63243 - 192.168.204.2:53 - DNS query for: oaeyopqpwmctvstgrv.com (No such name)
• 12:38:07 UTC - 192.168.204.141:63406 - 192.168.204.2:53 - DNS query for: kahljvupkglp.com (resolved to 85.25.211.252)
• 12:38:09 UTC - 192.168.204.141:49379 - 85.25.211.252:443 - HTTPS traffic to kahljvupkglp.com
• 12:38:26 UTC - 192.168.204.141:49381 - 85.25.211.252:443 - HTTPS traffic to kahljvupkglp.com

• 12:47:57 UTC - 192.168.204.141:64875 - 192.168.204.2:53 - DNS query for: indalusia.com (resolved to 134.19.180.30)
• 12:47:58 UTC - 192.168.204.141:49382 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
• 12:48:15 UTC - 192.168.204.141:49384 - 93.158.134.11:80 - yandex.ru - GET /
• 12:48:17 UTC - 192.168.204.141:49385 - 93.158.134.3:80 - www.yandex.ru - GET /
• 12:48:50 UTC - 192.168.204.141:49388 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
• 12:48:54 UTC - 192.168.204.141:49389 - 134.19.180.30:443 - HTTPS traffic to indalusia.com
• 12:49:00 UTC - 192.168.204.141:49390 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
• 12:49:12 UTC - 192.168.204.141:49391 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
• 12:49:24 UTC - 192.168.204.141:49392 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
• 12:49:36 UTC - 192.168.204.141:49393 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe
• 12:49:48 UTC - 192.168.204.141:49394 - 109.236.87.219:80 - stonepacific.in - GET /ivetta/not.exe

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-30-Angler-EK-flash-exploit.swf
File size:  85.3 KB ( 87352 bytes )
MD5 hash:  23812c5a1d33c9ce61b0882f860d79d6
Detection ratio:  3 / 54
First submission:  2014-10-29 10:25:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d29e6e210483817f5a203f8952f9add016bd334d96cd408021a22d8ed43fd66/analysis/

 

JAVA EXPLOIT

File name:  2014-10-30-Angler-EK-java-exploit.jar
File size:  28.1 KB ( 28769 bytes )
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  14 / 53
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-30-Angler-EK-malware-payload.dll
File size:  168.9 KB ( 172944 bytes )
MD5 hash:  ad666429dfe01397cb331ae4a1aa53bb
Detection ratio:  23 / 53
First submission:  2014-10-30 15:14:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c81e1d4550d451c8140c9d4c94fd13ef1886c1aee26f914b9da541a7b3ffd25/analysis/
Malwr.com:  https://malwr.com/analysis/MjIwODUyZTMzN2QzNDdhYzljOTU4Yjc4MjBkMjlmM2U/

 

FOLLOW-UP MALWARE

• Downloaded as:  stonepacific.in - GET /ivetta/not.exe (MD5 hash: 4adbf26312d2396def56939fbb204a05)
• Saved to the infected VM as:  C:\ProgramData\Windows Genuine Advantage\{B5A81EAD-A1DB-4B01-99A6-E7C61DFD2289}\msiexec.exe
  (MD5 hash also: 4adbf26312d2396def56939fbb204a05)
• When run, copies itself to:  C:\Users\User-1\AppData\Roaming\Ydvon\cydoo.exe (new MD5 hash: c9f3dddb423b761e401ec6459f1e0733)

File name:  msiexec.exe
File size:  308.5 KB ( 315904 bytes )
MD5 hash:  4adbf26312d2396def56939fbb204a05
Detection ratio:  3 / 53
First submission:  2014-10-30 15:17:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/15f2f44137fdd1d0f754a37ae3ad807fc47daed45f9c7effc5cab200fa4a22b8/analysis/
Malwr.com:  https://malwr.com/analysis/YjlmODViZDEzMjk2NDJlZWI3OTM3NzZiMmE3YTkyMDQ/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-30 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
• 2014-10-30 12:37:19 UTC - 208.76.52.55:80 - 192.168.204.141:49357 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 2014-10-30 12:37:19 UTC - 208.76.52.55:80 - 192.168.204.141:49357 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
• 2014-10-30 12:37:28 UTC - 208.76.52.55:80 - 192.168.204.141:49358 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-10-30 12:37:37 UTC - 192.168.204.141:49360 - 208.76.52.55:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
• 2014-10-30 12:37:48 UTC - 192.168.204.141:49364 - 208.76.52.55:80 - ET CURRENT_EVENTS Angler EK Java Exploit URI Struct (sid:2019514)
• 2014-10-30 12:38:07 UTC - 192.168.204.2:53 - 192.168.204.141:63243 - 1ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)
• 2014-10-30 12:49:00 UTC - 192.168.204.141:49390 - 109.236.87.219:80 - ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe (sid:2018403)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-10-30 12:37:13 UTC - 192.168.204.141:49354 - 184.168.204.1:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
• 2014-10-30 12:37:28 UTC - 208.76.52.55:80 - 192.168.204.141:49358 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-30 12:37:38 UTC - 208.76.52.55:80 - 192.168.204.141:49360 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-10-30 12:49:01 UTC - 109.236.87.219:80 - 192.168.204.141:49390 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:01 UTC - 109.236.87.219:80 - 192.168.204.141:49390 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:13 UTC - 109.236.87.219:80 - 192.168.204.141:49391 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:13 UTC - 109.236.87.219:80 - 192.168.204.141:49391 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:24 UTC - 109.236.87.219:80 - 192.168.204.141:49392 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:24 UTC - 109.236.87.219:80 - 192.168.204.141:49392 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:37 UTC - 109.236.87.219:80 - 192.168.204.141:49393 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:37 UTC - 109.236.87.219:80 - 192.168.204.141:49393 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:48 UTC - 109.236.87.219:80 - 192.168.204.141:49394 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:48 UTC - 109.236.87.219:80 - 192.168.204.141:49394 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Flash file and 32x32 gate redirecting to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-30-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-10-30-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.