2015-09-10 - ANGLER EK FROM 62.109.9.60

ASSOCIATED FILES:

• ZIP archive of the initial infection traffic:  2015-09-10-Angler-EK-traffic.pcap.zip
• ZIP archive of malware/artifacts:  2015-09-10-Angler-EK-malware-and-artifacts.zip
• ZIP archive of a PCAP from malwr.com's analysis of the malware payload:  2015-09-10-malwr.com-analysis-of-payload.pcap.zip

 

NOTES:

• Saw Angler EK in the pcap from a 2015-09-09 Threatglass entry at:  http://threatglass.com/malicious_urls/healmybox-com
• I infected a host the next day on 2015-09-10 by viewing the same website from that Threatglass entry.
• Saw the same post-infection traffic both times.
• No ransomware noted like we've been seeing with Angler EK lately, so maybe there's a different actor behind this traffic.
• Apparently, the compromised website has a history of being compromised.

 

IMAGES FROM THE TRAFFIC

Shown above: Infection chain of events from the Threatglass pcap on 2015-09-09.

 

Shown above: Infection chain of events from my pcap on 2015-09-10.

 

Shown above: Security Onion events seen after using tcpreplay on my pcap from 2015-09-10.

 

Shown above: Some DNS queries for DGA domains seen on malwr.com's analysis of the 2015-09-10 malware.

 

ASSOCIATED DOMAINS

healmybox.com - compromised website
23.92.54.5 port 80 - 23.92.54.5 - Gate/redirect (to the EK landing page)
62.109.14.243 port 80 - min.aidecredit.ca - Angler EK from Threatglass pcap on 2015-09-09
62.109.9.60 port 80 - err.440ninthste.info - Angler EK from my pcap on 2015-09-10
151.248.117.40 port 443 - testetst.ru - Post-infection traffic

 

PRELIMINARY MALWARE ANALYSIS

File name:  2015-09-10-Angler-EK-malware-payload.exe
File size:  308.0 KB ( 315392 bytes )
MD5 hash:  6be221f3b83caf84d4ff426f736a527f
SHA1 hash:  b595a300b94c9c0b33ee4e23bba7ee50fc9a0a4c
SHA256 hash:  2c1a78ee76cb282ba03e9fd4739896ee497c6895c984c3b9bfddbb2ed4dcce6c
Detection ratio:  4 / 56
First submission:  2015-09-10 17:28:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c1a78ee76cb282ba03e9fd4739896ee497c6895c984c3b9bfddbb2ed4dcce6c/analysis/
Malwr link:  https://malwr.com/analysis/OGQ1NjFkMDgzZmE1NDQzZmI5OGRiNTNiMTY2NDBhMWE/
Hybrid-analysis link:  https://www.hybrid-analysis.com/sample/2c1a78ee76cb282ba03e9fd4739896ee497c6895c984c3b9bfddbb2ed4dcce6c?environmentId=4

 

File name:  C:\Users\Username\AppData\Local\Temp\lkjkmogr.exe
File size:  618.0 KB ( 632832 bytes )
MD5 hash:  70386f16d2fff1e26f2a68f99b2bf700
SHA1 hash:  0757626327772a2b6f26e433d82d092d393315b5
SHA256 hash:  58363118b31772195e77cf30814c571d8c3ff4751f6b77664ad0259aee4c61a1
Detection ratio:  33 / 56
First submission:  2015-09-10 21:29:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/58363118b31772195e77cf30814c571d8c3ff4751f6b77664ad0259aee4c61a1/analysis/
Malwr link:  https://malwr.com/analysis/Y2M2NmNjODY3YTgxNDNjMmEzNDQ1ZjNjMDRmODY5OTY/
Hybrid-analysis link:  https://www.hybrid-analysis.com/sample/58363118b31772195e77cf30814c571d8c3ff4751f6b77664ad0259aee4c61a1?environmentId=4

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the initial infection traffic:  2015-09-10-Angler-EK-traffic.pcap.zip
• ZIP archive of malware/artifacts:  2015-09-10-Angler-EK-malware-and-artifacts.zip
• ZIP archive of a PCAP from malwr.com's analysis of the malware payload:  2015-09-10-malwr.com-analysis-of-payload.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.