2015-03-25 - ANGLER EK PUSHES RANSOMWARE
ASSOCIATED FILES:
- ZIP - pcap 1 of 3: 2015-03-23-Angler-EK-with-post-infection-traffic.pcap.zip
- ZIP - pcap 2 of 3: 2015-03-25-Angler-EK-traffic.pcap.zip
- ZIP - pcap 3 of 3: 2015-03-25-post-infection-traffic.pcap.zip
- ZIP - associated malware: 2015-03-25-Angler-EK-malware.zip
NOTES:
- Matthew Mesa informed me these samples are Reveton. It's been a while since I ran across this malware.
- I acquired two samples of this Reveton. The first gave a warning screen in German, and the second was in English.
- Plenty of Angler EK going around... I'm sure Angler is also pushing other types of malware, but I wanted to focus on this payload today.
Shown above: partial screenshot from the first malware sample on 2015-03-23.
Shown above: full screenshot from the second malware sample on 2015-03-25.
CHAIN OF EVENTS
2015-03-23 ANGLER EK:
- 144.76.177.42 port 80 - bezbronnybullfinches.evolvingnutritionllc.com - GET /pews-bathrobe-understatement/2333676765
- 144.76.177.42 port 80 - bezbronnybullfinches.evolvingnutritionllc.com - GET /eS9vXVpGOZhiD1CflWv8J9AeWGa_auetZVWzsTeBZqZTSXlR
- 144.76.177.42 port 80 - bezbronnybullfinches.evolvingnutritionllc.com - GET /VZsq9DV0HzNyc0_HxSiYUpc4_NiyZW729YthGRWUQOssgshN
2015-03-23 POST-INFECTION TRAFFIC:
- 107.181.174.5 port 443 - encrypted or obfuscated traffic
- 107.181.174.5 port 80 - encrypted or obfuscated traffic
- 109.200.5.91 port 443 - encrypted or obfuscated traffic
- 109.200.5.91 port 80 - encrypted or obfuscated traffic
- 162.244.33.159 port 443 - encrypted or obfuscated traffic
- 162.244.33.159 port 80 - encrypted or obfuscated traffic
2015-03-25 ANGLER EK:
- 188.165.230.181 port 80 - daaks-intensiven.buthair.com GET /govern_wickets_insulator/1305714616
- 188.165.230.181 port 80 - daaks-intensiven.buthair.com GET /eY9EzdMyjsjFpXD9v5uIgzKQJg4OsjbkTbQ3TOKcNKZSO2ui
- 188.165.230.181 port 80 - daaks-intensiven.buthair.com GET /JQqtNNYjlHsJNYAFZDsQEJIFAF227hht8nMx0qCyo6HRXuO8
2015-03-25 POST-INFECTION TRAFFIC:
- 107.181.174.5 port 443 - encrypted or obfuscated traffic
- 107.181.174.5 port 80 - encrypted or obfuscated traffic
- 109.200.5.91 port 443 - encrypted or obfuscated traffic
SNORT EVENTS
Signature hits from the Emerging Threats and ETPRO rulesets using Suricata on Security Onion (without ET POLICY or ET INFO events):
- 144.76.177.42 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing T1 Feb 16 2015 M2 (sid:2809810)
- 144.76.177.42 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing T1 Feb 16 2015 M2 (sid:2809811)
- 144.76.177.42 port 80 - ETPRO CURRENT_EVENTS Angler EK Payload T1 Feb 16 2015 M2 (sid:2809815)
- 144.76.177.42 port 80 - ET CURRENT_EVENTS Angler EK Payload DL M1 Feb 06 2015 (sid:2020385)
- 144.76.177.42 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (12) (sid:2020591)
- 144.76.177.42 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (13) (sid:2020592)
- 144.76.177.42 port 80 - ET CURRENT_EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015 (sid:2020234)
- 107.181.174.5 port 443 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
- 107.181.174.5 port 80 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
- 109.200.5.91 port 443 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
- 109.200.5.91 port 80 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
- 162.244.33.159 port 443 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
- 162.244.33.159 port 80 - ETPRO TROJAN Win32/Kryptik.BNTH Checkin (sid:2807230)
Signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.2 on Debian 7:
- 144.76.177.42 port 80 - [1:33182:1] EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request
- 109.200.5.91 port 80 - [119:31:1] (http_inspect) UNKNOWN METHOD
- 109.200.5.91 port 80 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
- 162.244.33.159 port 80 - [119:31:1] (http_inspect) UNKNOWN METHOD
- 162.244.33.159 port 80 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
- 107.181.174.5 port 80 - [119:31:1] (http_inspect) UNKNOWN METHOD
- 107.181.174.5 port 80 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
MALWARE FROM THE INFECTED HOST
2015-03-23:
File name: C:\ProgramData\ADC290768.cpp (decrypted Angler EK malware payload, a DLL file)
File size: 232.0 KB ( 237568 bytes )
MD5 hash: 95a0cafb24e9edcbdb52e685f7b5a5b3
Detection ratio: 22 / 57
First submission: 2015-03-23 18:56:43 UTC
VirusTotal link: https://www.virustotal.com/en/file/d46699b085adb4e235c80c5359cff975c5b5e3f9e136400d89ad29af8fad4c72/analysis/
File name: C:\ProgramData\C328CD902.zot (another DLL)
File size: 350.5 KB ( 358912 bytes )
MD5 hash: 2479dd9b68bd7c137edae000c728f86d
Detection ratio: 9 / 57
First submission: 2015-03-23 18:59:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/fe3598d7ce646329c95d17f8a6706a4a8f758e780f426b4ec527ff33c4df3b55/analysis/
2015-03-25:
File name: C:\ProgramData\209DC823C.cpp (decrypted Angler EK malware payload a DLL file)
File size: 176.0 KB ( 180224 bytes )
MD5 hash: 69c381c069c53c385b5d4269e9d922cb
Detection ratio: 3 / 57
First submission: 2015-03-25 17:08:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/4644de6f506cae0ea42adfea787ba5f94772b17d91be8763aa24354e38c7930e/analysis/
File name: C:\ProgramData\209DC823C.cpp (another DLL)
File size: 351.0 KB ( 359424 bytes )
MD5 hash: c894c6ef9041e1bfee0806619a1779ec
Detection ratio: 4 / 57
First submission: 2015-03-25 17:09:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/e685e75497f52d934edc0dca289cc6931c93cdef02bd180200952606875ddbaa/analysis/
FINAL NOTES
Once again, here are the associated files:
- ZIP - pcap 1 of 3: 2015-03-23-Angler-EK-with-post-infection-traffic.pcap.zip
- ZIP - pcap 2 of 3: 2015-03-25-Angler-EK-traffic.pcap.zip
- ZIP - pcap 3 of 3: 2015-03-25-post-infection-traffic.pcap.zip
- ZIP - associated malware: 2015-03-25-Angler-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.