2014-11-14 - ANGLER EK FROM 131.72.138.141 - ASD.SONGKILLERBONG.RU
ASSOCIATED FILES:
- ZIP of the pcap: 2014-11-14-Angler-EK-traffic.pcap.zip
- ZIP of the malware: 2014-11-14-Angler-EK-malware.zip
NOTES:
- The last time I saw Angler EK on 2014-11-11, it looked like the obfuscation for the malware payload had changed.
- Things look back to normal now in this instance of Angler, with the usual payload obfuscation that I've seen before.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 178.32.110.83 - villagedespruniers.net - Comrpomised website
- 103.15.232.27 - 5108.im - Flash file used with the 32x32 gate
- 184.168.188.1 - cryztalimage.com - 32x32 gate pointing to Angler EK
- 131.72.138.141 - asd.songkillerbong.ru - Angler EK
COMPROMISED WEBSITE:
- 2014-11-14 16:38:40 UTC - 178.32.110.83 - villagedespruniers.net - GET /
32 CHARACTER BY 32 CHARACTER GATE & ASSOCIATED FLASH FILE:
- 2014-11-14 16:38:44 UTC - 103.15.232.27 - 5108.im - GET /ffc661dac86b969a58d02be47c552e10.swf
- 2014-11-14 16:38:46 UTC - 184.168.188.1 - cryztalimage.com - POST /15be5d8ce856135c069d3d971291de84.php?q=cbc5bce82214d8903de060498eff19bc
ANGLER EK:
- 2014-11-14 16:38:47 UTC - 131.72.138.141 - asd.songkillerbong.ru - GET /1e80qbxhfk
- 2014-11-14 16:38:51 UTC - 131.72.138.141 - asd.songkillerbong.ru - GET /hbq-LKhgb-i5DMEe3P-nOZ4IuNo4GpMVfi0Wy_txZI8Pb37c5kjmxRFTSrCum3Th
- 2014-11-14 16:38:54 UTC - 131.72.138.141 - asd.songkillerbong.ru - GET /B8PzE-4l71RXeodT5ghbTWtDtZUWFt1CN8OXKpCv3ZUbR2t6nxYFvdZTkjg5M0hK
- 2014-11-14 16:38:56 UTC - 131.72.138.141 - asd.songkillerbong.ru - GET /cqQYheUWMc0hinYGsuMs1OKKJ9CkmRUL2KS50_7ALLhqlFJGYemgHLaDqbMmqoEk
POST-INFECTION TRAFFIC:
- 2014-11-14 16:38:55 UTC - 192.168.204.148:49640 - 208.113.226.171:80 - www.earthtools.org POST /timezone/0/0
- 2014-11-14 16:38:56 UTC - 192.168.204.148:49641 - 172.233.177.31:80 - www.ecb.europa.eu POST /stats/eurofxref/eurofxref-hist-90d.xml
- 2014-11-14 16:38:57 UTC - 192.168.204.148:64029 - 192.168.204.2:53 - DNS query for: fkpbaixdqfzkzjlr5o.com (No such name)
- 2014-11-14 16:38:57 UTC - 192.168.204.148:49327 - 192.168.204.2:53 - DNS query for: vmkurwvrpzheu.com (No such name)
- 2014-11-14 16:38:57 UTC - 192.168.204.148:60273 - 192.168.204.2;53 - DNS query for: duykfcofkypxwznsir.com (No such name)
- 2014-11-14 16:38:57 UTC - 192.168.204.148:56967 - 192.168.204.2:53 - DNS query for: dyrmbtuxyxjvkhhw.com (No such name)
- 2014-11-14 16:38:58 UTC - 192.168.204.148:52162 - 192.168.204.2:53 - DNS query for: ovurvdwfkf5f.com (No such name)
- 2014-11-14 16:38:58 UTC - 192.168.204.148:59849 - 192.168.204.2:53 - DNS query for: neggmonmdzpxps6.com (No such name)
- 2014-11-14 16:38:59 UTC - 192.168.204.148:49642 - 188.165.227.164:443 - encrypted TCP traffic to: iknjtykhhiwezvtaf.com
- 2014-11-14 16:39:05 UTC - 192.168.204.148:49643 - 188.165.227.164:443 - encrypted TCP traffic to: iknjtykhhiwezvtaf.com
- 2014-11-14 16:41:12 UTC - 192.168.204.148:56424 - 192.168.204.2:53 - DNS query for: rerrasremo.com (resolved to: 188.127.249.35)
- 2014-11-14 16:41:12 UTC - 192.168.204.148:various - 188.127.249.35:80 - attempted TCP connections RST by server
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2014-11-14-Angler-EK-flash-exploit.swf
File size: 43.4 KB ( 44474 bytes )
MD5 hash: fcf12da3baabc7f408c536d7e04692fb
Detection ratio: 1 / 53
First submission: 2014-11-13 22:09:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/9acbf49b990d2915a57cbd0faded2c7f75a7b4e7732860db44aa3e376e2289c7/analysis/
MALWARE PAYLOAD:
File name: 2014-11-14-Angler-EK-malware-payload.dll
File size: 185.5 KB ( 189952 bytes )
MD5 hash: 7c7794f85938710aac5b4db8b7be83c6
Detection ratio: 10 / 54
First submission: 2014-11-15 22:05:17 UTC
VirusTotal link: https://www.virustotal.com/en/file/83e468665a2e0d5b6f2e2282429dac1ff4f497918ba56adfeb662d201bc9024a/analysis/
DROPPED MALWARE:
File name: C:\Users\User-1\AppData\Roaming\Azwaf\wune.exe
File size: 252.6 KB ( 258642 bytes )
MD5 hash: 95b1307ef1074a9d0d24d3832776c96e
Detection ratio: 16 / 55
First submission: 2014-11-15 22:05:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/b432b2e150c97af9d9cb90cbf658629813bc0182c507c88b144f1524b38f7ace/analysis/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- 2014-11-14 16:38:46 UTC - 192.168.204.148:49637 - 184.168.188.1:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
- 2014-11-14 16:38:47 UTC - 131.72.138.141:80 - 192.168.204.148:49638 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
- 2014-11-14 16:38:47 UTC - 131.72.138.141:80 - 192.168.204.148:49638 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
- 2014-11-14 16:38:51 UTC - 131.72.138.141:80 - 192.168.204.148:49639 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
- 2014-11-14 16:38:54 UTC - 192.168.204.148:49638 - 131.72.138.141:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
- 2014-11-14 16:39:00 UTC - 192.168.204.148:49642 - 188.165.227.164:443 - ET TROJAN Bedep SSL Cert (sid:2019645)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):
- 2014-11-14 16:38:46 UTC - 192.168.204.148:49637 - 184.168.188.1:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
- 2014-11-14 16:38:47 UTC - 131.72.138.141:80 - 192.168.204.148:49638 - [1:32390:1] EXPLOIT-KIT Angler exploit kit landing page detected (x2)
- 2014-11-14 16:38:51 UTC - 131.72.138.141:80 - 192.168.204.148:49639 - [1:32390:1] EXPLOIT-KIT Angler exploit kit landing page detected
- 2014-11-14 16:38:51 UTC - 131.72.138.141:80 - 192.168.204.148:49639 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
SCREENSHOTS FROM THE TRAFFIC
Malicious script from the compromised website:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-11-14-Angler-EK-traffic.pcap.zip
- ZIP of the malware: 2014-11-14-Angler-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.