Malware-Traffic-Analysis.net - 2015-05-05 - Angler EK from 94.242.255.53

2015-05-05 - ANGLER EK FROM 94.242.255.53

ASSOCIATED FILES:

PCAPs of the traffic: 2015-05-05-Angler-EK-pcaps.zip
ZIP file of the malware: 2015-05-05-Angler-EK-malware.zip

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

94.242.255.53 - citerasnonassistance.continuumconsultinggroup.com - Angler EK
146.185.221.157 - uptodayscale.eu - Post-infection traffic
46.151.52.114 - mastertodayversion.eu - Another post-infection domain revealed by malware analysis tools

ANGLER EK:

2015-05-05 18:38:34 UTC - citerasnonassistance.continuumconsultinggroup.com - GET /redefining-foiled-swallow-leers/747343778325171996
2015-05-05 18:38:36 UTC - citerasnonassistance.continuumconsultinggroup.com - GET /Y0EyOn-XLACecJ5rZ5RrwHApgrEziy8RfVl1ZSpzWeXPh3W_
2015-05-05 18:38:37 UTC - citerasnonassistance.continuumconsultinggroup.com - GET /5PP-aW2noAVvvUUH6xUe8ucK_bgfxGSgL6ubu2zN_mMo7YZQ
2015-05-05 18:38:39 UTC - citerasnonassistance.continuumconsultinggroup.com - GET /Lzh71F0GMFAG5SADzIy7tO8pnmMzt13hRm5stI9APYPITUIC

POST-INFECTION TRAFFIC:

2015-05-05 18:40:44 UTC - uptodayscale.eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52
2015-05-05 18:40:54 UTC - uptodayscale.eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52
2015-05-05 18:41:05 UTC - uptodayscale.eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52

ADDITIONAL INFO FROM MALWARE ANALYSIS TOOLS:

2015-05-05 at approx 19:05 UTC - DNS query for mastertodayversion.eu - resolved to 46.151.52.114
Subsequent TCP connection attempts to 46.151.52.114 returned ICMP message Destination unreachable (Host unreachable)

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name: 2015-05-05-Angler-EK-flash-exploit.swf
File size: 53.9 KB ( 55227 bytes )
MD5 hash: 56c207b084da0e3695eb16c89f503b84
Detection ratio: 2 / 57
First submission: 2015-05-05 16:52:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/28ea2b8a43ecc137ada871db73afd2c48ddc903eef158bc09ec477900bf27abd/analysis/

MALWARE PAYLOAD:

File name: 2015-05-05-Angler-EK-malware-payload.exe
File size: 64.0 KB ( 65536 bytes )
MD5 hash: 3d496f0793cfcb63afe20e02426fc465
Detection ratio: 3 / 57
First submission: 2015-05-05 19:02:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/17b695e9fd2f2d5ce31041aea77ab9c8bf094a3b78d3430e28b93fe5863dd5c8/analysis/
Malwr link: https://malwr.com/analysis/NWNmNjdiOTdiZDFiNGY3ODg4ZGVjM2E1YWJlMGJjMWU/
Malwr link: https://www.hybrid-analysis.com/sample/17b695e9fd2f2d5ce31041aea77ab9c8bf094a3b78d3430e28b93fe5863dd5c8?environmentId=1

FINAL NOTES

Once again, here are the associated files:

PCAPs of the traffic: 2015-05-05-Angler-EK-pcaps.zip
ZIP file of the malware: 2015-05-05-Angler-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.