2014-11-10 - ANGLER EK FROM 94.23.50.217 - POMPEZNE1-BUDDH.SEEK4AUTOS.COM
ASSOCIATED FILES:
- ZIP of the pcap: 2014-11-10-Angler-EK-traffic.pcap.zip
- ZIP of the malware: 2014-11-10-Angler-EK-malware.zip
NOTES:
- The same malware payload was sent 3 times--first through the IE CVE-2013-2551 exploit, then through a Flash exploit, and finally through a Java exploit.
- Interesting how the Angler EK landing page is visible in an iframe on the comrpomised website:
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 62.149.130.62 - www.informatica-speedy.eu - Compromised website
- 81.169.145.158 - mosens.de - Redirect
- 94.23.50.217 - pompezne1-buddh.seek4autos.com - Angler EK
COMRPOMISED WEBSITE:
- 2014-11-10 16:20:05 UTC - 192.168.204.129:49169 - 62.149.130.62:80 - www.informatica-speedy.eu - GET /realizzazionesiti.jpg
GATE/REDIRECT:
- 2014-11-10 16:20:06 UTC - 192.168.204.129:49170 - 81.169.145.158:80 - mosens.de - GET /nx8hjl2k.php?id=44356642
ANGLER EK:
- 2014-11-10 16:20:07 UTC - 192.168.204.129:49172 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com - GET /t0fjps4g07.php
- 2014-11-10 16:20:12 UTC - 192.168.204.129:49173 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com -
GET /Y7qABlNW45lahCYH-nyavqdPO0LjZPp4w4KbCo7YP5PeIeKiWvHVFvxeYE00ryag
- 2014-11-10 16:20:16 UTC - 192.168.204.129:49172 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com -
GET /vFtFvOpvREe14sOslWM-E4HCe1jsS_trlkAX1dxCS-B1Wwgeeis9dQ2RgwBXZ8Vh
- 2014-11-10 16:20:20 UTC - 192.168.204.129:49173 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com -
GET /VHjv8S4yVLy2ttiHD9k_jDOpxjKNi7BQaguw109LZiDuwFlQcDCRRuDaF_mKtW1-
- 2014-11-10 16:20:30 UTC - 192.168.204.129:49174 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com -
GET /SiFD6kbdAKhQ5r3wDNMJ_kkJ6RMY5QBu1IrmgestykRmYp4gCtBJn8MV21B5U_Tt
- 2014-11-10 16:20:32 UTC - 192.168.204.129:49175 - 94.23.50.217:80 - pompezne1-buddh.seek4autos.com -
GET /R8k651UX6XTySEmSTg8PYK-kpTCEgizoxso2T6rW3QeON5hfn-DRlj1mPAq1h25N
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-11-10-Angler-EK-flash-exploit.swf
File size: 85.3 KB ( 87356 bytes )
MD5 hash: eb91cb6ece528db741d1a7cc7c767250
Detection ratio: 1 / 55
First submission: 2014-11-07 20:48:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/b6330cfa21822aa08fb4825f50a4126cbbe04a7f3aebd7c54379888e420e74c1/analysis/
JAVA EXPLOIT
File name: 2014-11-10-Angler-EK-java-exploit.jar
File size: 28.1 KB ( 28769 bytes )
MD5 hash: ed39baded73b3b363d37b6715eba5e47
Detection ratio: 26 / 55
First submission: 2014-10-22 20:11:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/
MALWARE PAYLOAD
File name: 2014-11-10-Angler-EK-malware-payload.dll
File size: 256.0 KB ( 262144 bytes )
MD5 hash: e80880c6a8ed62a9a81251505303ffdc
Detection ratio: 5 / 50
First submission: 2014-11-10 17:06:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08/analysis/
Same payload sent 3 times...
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-11-10 16:20:05 UTC - 62.149.130.62:80 - 192.168.204.129:49169 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)
- 2014-11-10 16:20:07 UTC - 94.23.50.217:80 - 192.168.204.129:49172 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
- 2014-11-10 16:20:12 UTC - 94.23.50.217:80 - 192.168.204.129:49173 - ET CURRENT_EVENTS Angler EK encrypted binary (6) (sid:2018510)
- 2014-11-10 16:20:16 UTC - 192.168.204.129:49172 - 94.23.50.217:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
- 2014-11-10 16:20:21 UTC - 94.23.50.217:80 - 192.168.204.129:49173 - ET CURRENT_EVENTS Angler EK encrypted binary (5) (sid:2018509)
- 2014-11-10 16:20:30 UTC - 192.168.204.129:49174 - 94.23.50.217:80 - ET CURRENT_EVENTS Angler EK Java Exploit URI Struct (sid:2019514)
- 2014-11-10 16:20:33 UTC - 194.23.50.217:80 - 92.168.204.129:49175 - ET TROJAN Angler EK encrypted binary (7) (sid:2018511)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):
- 2014-11-10 16:20:07 UTC - 94.23.50.217:80 - 192.168.204.129:various - [1:32390:1] EXPLOIT-KIT Angler exploit kit landing page detected (x6)
- 2014-11-10 16:20:12 UTC - 94.23.50.217:80 - 192.168.204.129:various - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x16)
- 2014-11-10 16:20:12 UTC - 94.23.50.217:80 - 192.168.204.129:49173 - [1:31331:1] EXPLOIT-KIT Angler exploit kit encrypted binary download
- 2014-11-10 16:20:16 UTC - 94.23.50.217:80 - 192.168.204.129:49172 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
- 2014-11-10 16:20:21 UTC - 94.23.50.217:80 - 192.168.204.129:49173 - [1:31899:1] EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (x16)
- 2014-11-10 16:20:33 UTC - 94.23.50.217:80 - 192.168.204.129:49175 - [1:31901:1] EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (x16)
- 2014-11-10 16:20:33 UTC - 94.23.50.217:80 - 192.168.204.129:49175 - [1:31694:1] EXPLOIT-KIT Angler exploit kit encrypted binary download
HIGHLIGHTS FROM THE TRAFFIC
Angler EK landing page:
Angler EK sends Flash exploit:
Anger EK sends Java exploit:
EXE payload sent after successful IE, Flash, and Java exploits:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-11-10-Angler-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-11-10-Angler-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.