2015-01-30 - ANGLER EK FROM 178.32.131.248 - 6JD5C9.CKK.CREACIONESLITERARIAS-KIRK.COM

ASSOCIATED FILES:

• ZIP of the pcap:  2015-01-30-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-30-Angler-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 178.32.131.248 - 6jd5c9.ckk.creacionesliterarias-kirk.com - Angler EK

 

ANGLER EK:

• 2015-01-30 17:14:02 UTC - 6jd5c9.ckk.creacionesliterarias-kirk.com - GET /awbveczgfe
• 2015-01-30 17:14:04 UTC - 6jd5c9.ckk.creacionesliterarias-kirk.com - GET /V0tvbfLrxecFkWz53lrSU46AK3JR_KcPelPkUqvi5esGwoX4Jp42TRoGKHKZWIMu
• 2015-01-30 17:14:05 UTC - 6jd5c9.ckk.creacionesliterarias-kirk.com - GET /ZJxYON2cJHpi4w5NkP58X01ORp_DNnODm3OnBBUDeE2282lTkElOmlqxSgOZhyhW

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 178.32.131.248 port 80 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 178.32.131.248 port 80 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
• 178.32.131.248 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (6) (sid:2020071)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 178.32.131.248 port 80 - [1:32390:1] EXPLOIT-KIT Angler exploit kit landing page detected
• 178.32.131.248 port 80 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download
• 178.32.131.248 port 80 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT:

File name:  2015-01-30-Angler-EK-silverlight-exploit.xap
File size:  45.4 KB ( 46525 bytes )
MD5 hash:  8581593f5a5bccd27540eec5747c7259
Detection ratio:  0 / 57
First submission:  2015-01-30 19:58:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ca0cd15e28620dcb1b2fb5d29fb6daaa88346d8775139607bd9d2f583415e7b8/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-30-Angler-EK-malware-payload.exe
File size:  432.0 KB ( 442372 bytes )
MD5 hash:  8cbe696ba8747078189104ada18c9eb3
Detection ratio:  10 / 56
First submission:  2015-01-30 20:10:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fedda87e22b4fd705fedae38c313794593829f0deccf3d35d63e5158865726e7/analysis/
Malwr link:  https://malwr.com/analysis/MzE2ZWI1N2FmNDAyNGY3NTg4NWQ2MjIxMmI5MGUyYTQ/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-01-30-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-30-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.