2016-02-10 - EITEST ANGLER EK FROM 89.45.67.75

PCAP AND MALWARE:

• ZIP archive of the above two PCAPs:  2016-02-10-EITest-Angler-EK-traffic.zip  804.6 kB (804,552 bytes)
• ZIP archive of the malware and artifacts:  2016-02-10-EITest-Angler-EK-malware-and-artifacts.zip  383.1 kB (383,065 bytes)

 

NOTES:

• More Angler EK from the EITest campaign as identified by the Malwarebytes blog (more info here and here).
• Thanks to Paul for tipping me off about this activity.
• Post-infection traffic indicates the payload may be a Ursnif variant.

 

CHAIN OF EVENTS

DATE/TIME OF THE INFECTION:  2016-02-10 15:56 UTC

• www.sustainablebrands.com - Compromised website
• 85.93.0.32 port 80 - dofned.tk - EITest gate
• 89.45.67.75 port 80 - qn4rilf.yup2clv70.accountant - Angler EK

 

DATE/TIME OF MALWR.COM ANALYSIS:  2016-02-10 16:26 UTC

• nssdc.gsfc.nasa.gov - GET /planetary/text/nasa_pr_20001220.txt
• 178.159.122.149 port 80 - pastfplutoscientiststhe.com - GET /images/vP3910NJp/6XqY94o11SRDpn_2F2Uc/JNu0p7FFatXWXGtIZmz/
  oNm8QJNFTUjevy180VLFYZ/kdQh3UVhl6aEH/spgyOCfW/Cn0JgIzyMY16K6uvWxfu0_2/F0hns3ruZy/nPvUHPsXLIBEFRpJl/ZHIulUF3/RHNbx.gif

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2016-02-10-EITest-Angler-EK-flash-exploit.swf
File size:  63.7 KB (65,191 bytes)
MD5 hash:  5ec65f2f6ee971c458315d13d3729835
SHA1 hash:  fd641af682c4d991a1bfaee6d0051e881be609aa
SHA256 hash:  44f57274fe2c7d3dd2359549766f375da0d22a569b6e73421499063bddc1762f
Detection ratio:  1 / 54
First submission:  2016-02-10 16:27:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/44f57274fe2c7d3dd2359549766f375da0d22a569b6e73421499063bddc1762f/analysis/

 

MALWARE PAYLOAD:

File name:  2016-02-10-EITest-Angler-EK-malware-payload.exe
File size:  308.0 KB (315,392 bytes)
MD5 hash:  fd36d1e2be1f0079c7cb66288778ffa9
SHA1 hash:  292606f34e9a86fe44527bfcaa91c14a88676cba
SHA256 hash:  3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82
Detection ratio:  4 / 53
First submission:  2016-02-10 16:17:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82/analysis/
Malwr link:  https://malwr.com/analysis/YTBkNGZjYjU2MTc0NDcyOTljZGNhNWY4MDhkYjcyMmM/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/3cd08d9ad04c3b72dcbcb07259d94df479b7cba5b9d08350c5e3cfd5718a3f82?environmentId=4

 

IMAGES

Shown above:  Injected script in page from the compromised website.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

Shown above:  Pcap from malwr.com of traffic caused by the malware payload.

 

Shown above:  Alert triggered by the post-infection traffic from Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the above two PCAPs:  2016-02-10-EITest-Angler-EK-traffic.zip  804.6 kB (804,552 bytes)
• ZIP archive of the malware and artifacts:  2016-02-10-EITest-Angler-EK-malware-and-artifacts.zip  383.1 kB (383,065 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.