2015-06-08 - ANGLER EK - MORE CHANGES IN TRAFFIC PATTERNS

PCAP AND MALWARE:

• ZIP of the traffic:  2015-06-08-Angler-EK-sends-Vawtrak.pcap.zip
• ZIP file of the malware:  2015-06-08-Angler-EK-malware.zip

 

NOTES:

• Been seeing a lot of cases where Angler EK is sending CryptoWall 3.0 as the payload, event today.
• This one sent Vawtrak, though.
• URL patterns for Angler changed when I checked this morning.
• I forgot to get a copy of the Flash banner redirect that led to Angler (can't extract it from the pcap, because some data is missing).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 194.15.126.7 port 80 - joans.ga - Flash banner ad leading to Angler EK
• 131.72.136.114 port 80 - fit.everylittlething.xyz - Angler EK
• 91.121.54.20 port 80 - transfercom.net - Vawtrak callback traffic

 

FLASH AD REDIRECT:

• 2015-06-08 13:33:09 UTC - joans.ga - GET /banner.php?sid=425AB2B199B62D037FB459B962D07E2D17AE45F4F4EF707357
• 2015-06-08 13:33:12 UTC - joans.ga - GET /blog.php?id=425AB2B199B62D037FB459B962D07E2D17AE45F4F4EF707357

 

ANGLER EK:

• 2015-06-08 13:33:13 UTC - fit.everylittlething.xyz - GET /marginalisation-gunboat-locales-bristle/11101444414174830
• 2015-06-08 13:33:15 UTC - fit.everylittlething.xyz - GET /0fPTVpcOtNMOnt3aluOCuN-QmBW8PDBMwJGbKE4pNhDM_Gxl.pycharm?ten=VIMnR
• 2015-06-08 13:33:18 UTC - fit.everylittlething.xyz - GET /sbQAMHvfwBzZpKfMIrXCwZ4b1CmuBmen3WH-c-76hG51d3Rn.cppbin?four=FQVZC
  &seven=W47VAT5tRs&nine=28122299&one=XCjvfp&ten=279573

 

POST-INFECTION TRAFFIC:

• 2015-06-08 13:38:56 UTC - transfercom.net - POST /collection/00000050/00/8EBFD947
• 2015-06-08 13:38:57 UTC - transfercom.net - POST /collection/00000050/02/8EBFD947
• 2015-06-08 13:39:14 UTC - transfercom.net - POST /collection/00000050/02/8EBFD947

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 194.15.126.7 port 80 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Banner (sid:2020408)
• 194.15.126.7 port 80 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Blog (sid:2020409)
• 131.72.136.114 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Landing URI Struct June 05 2015 M2 (sid:2811274)
• 131.72.136.114 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (12) (sid:2020591)
• 131.72.136.114 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (13) (sid:2020592)
• 131.72.136.114 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (23) (sid:2021059)
• 131.72.136.114 port 80 - ET CURRENT_EVENTS Angler EK Payload URI Struct May 28 2015 M1 (sid:2021158)
• 131.72.136.114 port 80 - ET CURRENT_EVENTS Angler EK Exploit URI Struct May 28 2015 M1 (sid:2021157)
• 131.72.136.114 port 80 - ETPRO CURRENT_EVENTS Angler EK Flash Exploit M2 (sid:2811284)
• 91.121.54.20 port 80 - ETPRO TROJAN Vawtrak/NeverQuest Posting Data (sid:2809464)
• 91.121.54.20 port 80 - ET TROJAN Vawtrak/NeverQuest Server Response (sid:2019499)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-06-08-Angler-EK-flash-exploit.swf
File size:  54.1 KB ( 55364 bytes )
MD5 hash:  e1ee52baee1ac7fe876cf6581e669b6c
Detection ratio:  1 / 57
First submission:  2015-06-08 07:42:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/822f6cefa9540916ec99027a2fefa4b358c8b504149fa7b5a760fe5d8e146d4f/analysis/

 

MALWARE PAYLOAD:

File name:  2015-06-08-Angler-EK-malware-payload.exe
File size:  362.4 KB ( 371060 bytes )
MD5 hash:  d5cd69ad84cc4381275d93c400702f2f
Detection ratio:  1 / 57
First submission:  2015-06-08 14:03:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/70519e4834f3a2b3a7128bbe8d2afd01f9839210c8cf78ab726f5a78fbeee4a7/analysis/
Malwr link:  https://malwr.com/analysis/N2M1M2ZmNDRhNGVkNDhiMDhlNTg2ZmE2NjQwZWFmM2U/

 

VAWTRAK FOUND ON INFECTED HOST:

File name:  C:\ProgramData\DajaXunuq\PupqUhgo.pmh
File size:  277.9 KB ( 284582 bytes )
MD5 hash:  a0141ac093a4f2bb64e8da3829d4b8a8
Detection ratio:  3 / 57
First submission:  2015-06-08 14:03:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/01a7eddf67453285289a3916cadea7dc3fc60028662feae12d32c693a7f1236c/analysis/
Malwr link:  https://malwr.com/analysis/OWY1YjY4NjMzNGY3NDlhY2JmODUyZDNkMjViMDI2ZWM/

HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Run
Value name: DajaXunuq
Type: REG_SZ
Data: regsvr32.exe "C:\ProgramData\DajaXunuq\PupqUhgo.pmh"

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the traffic:  2015-06-08-Angler-EK-sends-Vawtrak.pcap.zip
• ZIP file of the malware:  2015-06-08-Angler-EK-malware.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.