2014-05-25 - ANGLER EK FROM 192.99.41[.]165 - DENOTING.CENTRIXSF[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-05-25-Angler-EK-traffic.pcap.zip
• 2014-05-25-Angler-EK-malware.zip

NOTES:

• One of the follow-up pieces of malware was CryptoWall ransomware.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 85.10.236[.]96 - www.oberzaknieja[.]eu - Compromised website
• 91.208.99[.]12 - lifephotoblogs[.]com - First redirect
• 141.101.116[.]187 - b6e0f620[.]eu - Second redirect
• 192.99.41[.]165 - denoting.centrixsf[.]com - Angler EK
• various IP addresses - various domains - post-infection callback (see below)

ITEMS FROM COMPROMISED WEBSITE WITH MALICIOUS JAVASCRIPT:

• 07:26:41 UTC - 85.10.236[.]96 - www.oberzaknieja[.]eu - GET /
• 07:26:41 UTC - 85.10.236[.]96 - www.oberzaknieja[.]eu - GET /js/jquery.min.js
• 07:26:43 UTC - 85.10.236[.]96 - www.oberzaknieja[.]eu - GET /js/pirobox.js
• 07:26:43 UTC - 85.10.236[.]96 - www.oberzaknieja[.]eu - GET /js/pirobox.js

REDIRECTS FROM THE MALICIOUS JAVASCRIPT:

• 07:26:42 UTC - 91.208.99[.]12 - lifephotoblogs[.]com - GET /wp-admin/clicker.php?id=13109856
• 07:26:43 UTC - 91.208.99[.]12 - lifephotoblogs[.]com - GET /wp-admin/clicker.php?id=13109857
• 07:26:44 UTC - 91.208.99[.]12 - lifephotoblogs[.]com - GET /wp-admin/clicker.php?id=13109855
• 07:26:45 UTC - 91.208.99[.]12 - lifephotoblogs[.]com - GET /wp-admin/clicker.php?id=13109854
• 07:26:45 UTC - 91.208.99[.]12 - lifephotoblogs[.]com - GET /wp-admin/clicker.php?id=13109853

SECOND REDIRECT POINTING TO ANGLER EK:

• 07:26:45 UTC - 141.101.116[.]187 - b6e0f620[.]eu - GET /script.html?0.8682609144695821

ANGLER EK:

• 07:26:45 UTC - 192.99.41[.]165 - denoting.centrixsf[.]com - GET /ejbmen617v.php
• 07:26:46 UTC - 192.99.41[.]165 - denoting.centrixsf[.]com - GET /i-POHJnNOIOAsJt4lXPeUiVYWlNA-mki_adsxffXvMI-5ai0EZTP3NPfZKBgoNhNnKxH7A==
• 07:26:48 UTC - 192.99.41[.]165 - denoting.centrixsf[.]com - GET /mcghxfPsUvzHSYljpBQheSslo1sqzJIkIeD0KKE7IC24B5cer0EG-dEngLP6AE0EuQIwAw==
• 07:27:02 UTC - 192.99.41[.]165 - denoting.centrixsf[.]com - GET /h3LwMEd4vhp4era1kVIHnRRlAKkD-FZEyRXEphc09uTGurhli21g9k6X7no_9Pps1k36Uw==

PAYLOAD FROM ANGLER EK GETS MORE MALWARE:

• 07:26:53 UTC - 141.101.116[.]204 - ourlittleponic[.]pw - POST /gate.php
• 07:26:54 UTC - 108.162.199[.]213 - freepicscenter[.]pw - GET /store/2.exe
• 07:26:56 UTC - 108.162.199[.]213 - freepicscenter[.]pw - GET /store/3.exe

POST-INFECTION TRAFFIC AFTER THE FOLLOW-UP MALWARE:

• 07:27:20 UTC - 84.244.43[.] 2 - preluner-ter[.]com - GET /b/shoe/8190   [repeats several times]
• 07:27:28 UTC - 141.255.167[.] 3 - nofbiatdominicana[.]com - POST /b8u7nac0fl0g9x
• 07:27:51 UTC - 141.255.167[.]3 - nofbiatdominicana[.]com - POST /2lb9319e9oyrx84
• 07:27:56 UTC - 95.215.45[.]172:443 - HTTPS to kpai7ycr7jxqkilp.torexplorer[.]com
• 07:28:17 UTC - 141.255.167[.]3 - nofbiatdominicana[.]com - POST /y9akmq0tdvfd3xa
• 07:28:38 UTC - 121.182.35[.]187 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/jquery/   [repeats]
• 07:31:33 UTC - 121.182.35[.]187 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/ajax/   [repeats]
• 07:32:10 UTC - 37.57.56[.]133 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/jquery/   [repeats]
• 07:32:21 UTC - 37.57.56[.]133 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/ajax/   [repeats]
• 07:33:15 UTC - 176.8.110[.]74 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/ajax/   [repeats]
• 07:33:20 UTC - 176.8.110[.]74 - tarbus-coteh[.]com - GET /com-phocaguestbook-php-q98.74/jquery/   [repeats]

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-05-25-Angler-EK-silverlight-exploit.xap
File size:  52,467 bytes
MD5 hash:  e2a6c17c6e5f8bf7b8caec89400f7645
Detection ratio:  0 / 53
First submission:  2014-05-16 14:54:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ffc300642bb3d871940fddef6abd8bbe01f5b913fba7c7a4753786f7cf747a4/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-25-Angler-EK-malware-payload.exe
File size:  167,936 bytes
MD5 hash:  e3a6129a25a2a4c55a57c964575f4d6b
Detection ratio:  3 / 52
First submission:  2014-05-25 08:09:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/801f4ec08b036d4605a902580ab1454e2659d4f940a42a6474ecb5e10bea9b5b/analysis/

 

FIRST POST-INFECTION MALWARE FILE

File name:  2014-05-25-Angler-EK-post-infection-malware-01.exe
File size:  131,080 bytes
MD5 hash:  a043a43f4b993fd2b0eabb594175901b
Detection ratio:  4 / 52
First submission:  2014-05-25 08:10:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e4b174c153b239831090faff7bd3b6343c2ca800490d538d81dcca0500eb5566/analysis/

 

SECOND POST-INFECTION MALWARE FILE

File name:  2014-05-25-Angler-EK-post-infection-malware-02.exe
File size:  230,400 bytes
MD5 hash:  f612500ee9764e18ca78d2e78df5b017
Detection ratio:  3 / 53
First submission:  2014-05-25 01:41:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7351e53bd863795104d609f2192e3436d3a07fb597f0bab35d175df88a34c3e0/analysis/<

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-25 07:26:46 UTC - 192.99.41[.]165:80 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request - May 2014 (sid:2018497)
• 2014-05-25 07:26:49 UTC - 192.99.41[.]165:80 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 (sid:2017984)
• 2014-05-25 07:26:53 UTC - [local host]:53 - ET INFO DNS Query to a *.pw domain - Likely Hostile (sid:2016778)
• 2014-05-25 07:26:53 UTC - [local host]:53 - INDICATOR-COMPROMISE Suspicious .pw dns query (sid:28039)
• 2014-05-25 07:26:53 UTC - 141.101.116[.]204:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)
• 2014-05-25 07:26:53 UTC - 141.101.116[.]204:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 2014-05-25 07:26:53 UTC - 141.101.116[.]204:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
• 2014-05-25 07:26:53 UTC - 141.101.116[.]204:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
• 2014-05-25 07:26:53 UTC - 141.101.116[.]204:80 - ET INFO HTTP Request to a *.pw domain (sid:2016777)
• 2014-05-25 07:26:54 UTC - 108.162.199[.]213:80 - MALWARE-CNC Win.Trojan.Zeus variant outbound connection (sid:27918)
• 2014-05-25 07:26:54 UTC - 108.162.199[.]213:80 - ET TROJAN Possible Graftor EXE Download Common Header Order (sid:2018254)
• 2014-05-25 07:26:54 UTC - 108.162.199[.]213:80 - ET POLICY PE EXE or DLL Windows file download (sid:2000419)
• 2014-05-25 07:26:57 UTC - 108.162.199[.]213:80 - ET INFO Packed Executable Download (sid:2014819)
• 2014-05-25 07:27:00 UTC - 108.162.199[.]213:80 - ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) (sid:2015744)
• 2014-05-25 07:27:28 UTC - 141.255.167[.]3:80 - ET TROJAN CryptoWall Check-in (sid:2018452)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in the index page from compromised web site--points to first redirect on lifephotoblogs.com:

 

The same script is also appended to any javascript retrieved from the web site.  For example:

 

The first redirect has javascript that points to second redirect at b6e0f620.eu:

 

The second redirect has some base64 script that points to Angler EK at denoting.centrixsf[.]com:

 

Angler EK delivers Silverlight exploit:

 

EXE payload sent after successful Silverlight exploit:

 

Post-infection: CryptoWall in action on the infected VM::

 

Click here to return to the main page.