2015-11-27 - ANGLER EK FROM 5.135.65.146 - LVX1WV.YNGLRV01.XYZ

ASSOCIATED FILES:

 

NOTES:

 

TRAFFIC


Shown above: Traffic from this blog entry's pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

 

PRELIMINARY MALWARE ANALYSIS

ANGLER EK FLASH EXPLOIT:

File name:  2015-11-27-Angler-EK-flash-exploit.swf
File size:  75.8 KB ( 77,647 bytes )
MD5 hash:  88a30d3ad1b1a2f1e0da92adc25f24c2
SHA1 hash:  183e22585024d540b292961cf09ddbd9447ea9d7
SHA256 hash:  420363b953c0e4e28306aa278c03fa6febcc7a76587d3cb4280af59573975ff8
Detection ratio:  1 / 55
First submission:  2015-11-27 22:43:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/420363b953c0e4e28306aa278c03fa6febcc7a76587d3cb4280af59573975ff8/analysis/

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

File name:  C:\Users\[username]\AppData\Local\mqkhorie\uwctyrru.exe
File size:  188.0 KB ( 192,512 bytes )
MD5 hash:  24dc349285fe3222630d9019e908f0d1
SHA1 hash:  e3d3c2f7b367b01ef26fbbe5f62311954ce596b5
SHA256 hash:  cb65bdba8b18cef2d4afe4835ba509f572b7ee2652da2af804038efa97c64f82
Detection ratio:  3 / 55
First submission:  2015-11-27 22:43:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb65bdba8b18cef2d4afe4835ba509f572b7ee2652da2af804038efa97c64f82/analysis/
Malwr.com link:  https://malwr.com/analysis/MmIyZGY0MmFiNjAzNDYzNDllOTVjOWJlYjUwOTI5MTk/
Pcap from Malwr.com analysis:  ce44716b5a8061886a11fcda48157cf30b7da45c24aeebaa7be29a521efde5bd.pcap

 

IMAGES


Shown above: Malicious script in page from compromised website.

 


Shown above: Gate pointing to the Angler EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.