Malware-Traffic-Analysis.net - 2014-05-25

2014-05-25 - ANGLER EK FROM 192.99.41.165 - DENOTING.CENTRIXSF.COM

PCAP AND MALWARE:

ZIP of the PCAPs: 2014-05-25-Angler-EK-traffic.pcap.zip
ZIP of the malware: 2014-05-25-Angler-EK-malware.zip

NOTES:

One of the follow-up pieces of malware was CryptoWall ransomware.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

85.10.236.96 - www.oberzaknieja.eu - Compromised website
91.208.99.12 - lifephotoblogs.com - First redirect
141.101.116.187 - b6e0f620.eu - Second redirect
192.99.41.165 - denoting.centrixsf.com - Angler EK
various IP addresses - various domains - post-infection callback (see below)

ITEMS FROM COMPROMISED WEBSITE WITH MALICIOUS JAVASCRIPT:

07:26:41 UTC - 85.10.236.96 - www.oberzaknieja.eu - GET /
07:26:41 UTC - 85.10.236.96 - www.oberzaknieja.eu - GET /js/jquery.min.js
07:26:43 UTC - 85.10.236.96 - www.oberzaknieja.eu - GET /js/pirobox.js
07:26:43 UTC - 85.10.236.96 - www.oberzaknieja.eu - GET /js/pirobox.js

REDIRECTS FROM THE MALICIOUS JAVASCRIPT:

07:26:42 UTC - 91.208.99.12 - lifephotoblogs.com - GET /wp-admin/clicker.php?id=13109856
07:26:43 UTC - 91.208.99.12 - lifephotoblogs.com - GET /wp-admin/clicker.php?id=13109857
07:26:44 UTC - 91.208.99.12 - lifephotoblogs.com - GET /wp-admin/clicker.php?id=13109855
07:26:45 UTC - 91.208.99.12 - lifephotoblogs.com - GET /wp-admin/clicker.php?id=13109854
07:26:45 UTC - 91.208.99.12 - lifephotoblogs.com - GET /wp-admin/clicker.php?id=13109853

SECOND REDIRECT POINTING TO ANGLER EK:

07:26:45 UTC - 141.101.116.187 - b6e0f620.eu - GET /script.html?0.8682609144695821

ANGLER EK:

07:26:45 UTC - 192.99.41.165 - denoting.centrixsf.com - GET /ejbmen617v.php
07:26:46 UTC - 192.99.41.165 - denoting.centrixsf.com - GET /i-POHJnNOIOAsJt4lXPeUiVYWlNA-mki_adsxffXvMI-5ai0EZTP3NPfZKBgoNhNnKxH7A==
07:26:48 UTC - 192.99.41.165 - denoting.centrixsf.com - GET /mcghxfPsUvzHSYljpBQheSslo1sqzJIkIeD0KKE7IC24B5cer0EG-dEngLP6AE0EuQIwAw==
07:27:02 UTC - 192.99.41.165 - denoting.centrixsf.com - GET /h3LwMEd4vhp4era1kVIHnRRlAKkD-FZEyRXEphc09uTGurhli21g9k6X7no_9Pps1k36Uw==

PAYLOAD FROM ANGLER EK GETS MORE MALWARE:

07:26:53 UTC - 141.101.116.204 - ourlittleponic.pw - POST /gate.php
07:26:54 UTC - 108.162.199.213 - freepicscenter.pw - GET /store/2.exe
07:26:56 UTC - 108.162.199.213 - freepicscenter.pw - GET /store/3.exe

POST-INFECTION TRAFFIC AFTER THE FOLLOW-UP MALWARE:

07:27:20 UTC - 84.244.43.2 - preluner-ter.com - GET /b/shoe/8190 [repeats several times]
07:27:28 UTC - 141.255.167.3 - nofbiatdominicana.com - POST /b8u7nac0fl0g9x
07:27:51 UTC - 141.255.167.3 - nofbiatdominicana.com - POST /2lb9319e9oyrx84
07:27:56 UTC - 95.215.45.172:443 - HTTPS to kpai7ycr7jxqkilp.torexplorer.com
07:28:17 UTC - 141.255.167.3 - nofbiatdominicana.com - POST /y9akmq0tdvfd3xa
07:28:38 UTC - 121.182.35.187 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/jquery/ [repeats]
07:31:33 UTC - 121.182.35.187 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/ajax/ [repeats]
07:32:10 UTC - 37.57.56.133 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/jquery/ [repeats]
07:32:21 UTC - 37.57.56.133 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/ajax/ [repeats]
07:33:15 UTC - 176.8.110.74 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/ajax/ [repeats]
07:33:20 UTC - 176.8.110.74 - tarbus-coteh.com - GET /com-phocaguestbook-php-q98.74/jquery/ [repeats]

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name: 2014-05-25-Angler-EK-silverlight-exploit.xap
File size: 51.2 KB ( 52467 bytes )
MD5 hash: e2a6c17c6e5f8bf7b8caec89400f7645
Detection ratio: 0 / 53
First submission: 2014-05-16 14:54:01 UTC
VirusTotal link: https://www.virustotal.com/en/file/6ffc300642bb3d871940fddef6abd8bbe01f5b913fba7c7a4753786f7cf747a4/analysis/

MALWARE PAYLOAD

File name: 2014-05-25-Angler-EK-malware-payload.exe
File size: 164.0 KB ( 167936 bytes )
MD5 hash: e3a6129a25a2a4c55a57c964575f4d6b
Detection ratio: 3 / 52
First submission: 2014-05-25 08:09:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/801f4ec08b036d4605a902580ab1454e2659d4f940a42a6474ecb5e10bea9b5b/analysis/
Malwr link: https://malwr.com/analysis/ZGE5YjI0NTllZmI5NDM5NGIyZTMzMzAxYmM4ZTBmMGU/

FIRST POST-INFECTION MALWARE FILE

File name: 2014-05-25-Angler-EK-post-infection-malware-01.exe
File size: 128.0 KB ( 131080 bytes )
MD5 hash: a043a43f4b993fd2b0eabb594175901b
Detection ratio: 4 / 52
First submission: 2014-05-25 08:10:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/e4b174c153b239831090faff7bd3b6343c2ca800490d538d81dcca0500eb5566/analysis/
Malwr link: https://malwr.com/submission/status/Y2I0MTZkNTJmNzAyNDgxY2I2MmQ4NTQyMTU5OGIxYWY/ [analysis still pending]

SECOND POST-INFECTION MALWARE FILE

File name: 2014-05-25-Angler-EK-post-infection-malware-02.exe
File size: 225.0 KB ( 230400 bytes )
MD5 hash: f612500ee9764e18ca78d2e78df5b017
Detection ratio: 3 / 53
First submission: 2014-05-25 01:41:23 UTC
VirusTotal link: https://www.virustotal.com/en/file/7351e53bd863795104d609f2192e3436d3a07fb597f0bab35d175df88a34c3e0/analysis/
Malwr link: https://malwr.com/analysis/MWRiZDJkMmI2MGQ4NGRiYWI5ZWJhOWJkZTE4YjU4ZDU/

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

2014-05-25 07:26:46 UTC - 192.168.204.228:49702 - 192.99.41.165:80 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request - May 2014 (sid:2018497)
2014-05-25 07:26:49 UTC - 192.99.41.165:80 - 192.168.204.228:49702 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 (sid:2017984)
2014-05-25 07:26:53 UTC - 192.168.204.228:62424 - 192.168.204.2:53 - ET INFO DNS Query to a *.pw domain - Likely Hostile (sid:2016778)
2014-05-25 07:26:53 UTC - 192.168.204.228:62424 - 192.168.204.2:53 - INDICATOR-COMPROMISE Suspicious .pw dns query (sid:28039)
2014-05-25 07:26:53 UTC - 192.168.204.228:49705 - 141.101.116.204:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)
2014-05-25 07:26:53 UTC - 192.168.204.228:49705 - 141.101.116.204:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
2014-05-25 07:26:53 UTC - 192.168.204.228:49705 - 141.101.116.204:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
2014-05-25 07:26:53 UTC - 192.168.204.228:49705 - 141.101.116.204:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
2014-05-25 07:26:53 UTC - 192.168.204.228:49705 - 141.101.116.204:80 - ET INFO HTTP Request to a *.pw domain (sid:2016777)
2014-05-25 07:26:54 UTC - 192.168.204.228:49706 - 108.162.199.213:80 - MALWARE-CNC Win.Trojan.Zeus variant outbound connection (sid:27918)
2014-05-25 07:26:54 UTC - 192.168.204.228:49706 - 108.162.199.213:80 - ET TROJAN Possible Graftor EXE Download Common Header Order (sid:2018254)
2014-05-25 07:26:54 UTC - 108.162.199.213:80 - 192.168.204.228:49706 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
2014-05-25 07:26:57 UTC - 108.162.199.213:80 - 192.168.204.228:49707 - ET INFO Packed Executable Download (sid:2014819)
2014-05-25 07:27:00 UTC - 108.162.199.213:80 - 192.168.204.228:49707 - ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) (sid:2015744)
2014-05-25 07:27:28 UTC - 192.168.204.228:49714 - 141.255.167.3:80 - ET TROJAN CryptoWall Check-in (sid:2018452)

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in the index page from compromised web site--points to first redirect on lifephotoblogs.com:

The same script is also appended to any javascript retrieved from the web site. For example:

The first redirect has javascript that points to second redirect at b6e0f620.eu:

The second redirect has some base64 script that points to Angler EK at denoting.centrixsf.com:

Angler EK delivers Silverlight exploit:

EXE payload sent after successful Silverlight exploit:

Post-infection: CryptoWall in action on the infected VM::

FINAL NOTES

Once again, here are links for the associated files:

ZIP of the PCAPs: 2014-05-25-Angler-EK-traffic.pcap.zip
ZIP of the malware: 2014-05-25-Angler-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.