2014-09-26 - 32X32 GATE TO ANGLER EK ON 162.248.243.78 - QWE.TRIBUTARYKAMARUPAN.US

ASSOCIATED FILES:

• ZIP of the pcap:  2014-09-26-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-26-Angler-EK-malware.zip

 

NOTES:

• It's been a while since I've seen the fake pop-up notices that generate a 32x32 gate leading to Angler EK.  The last one I documented was on 2014-06-20.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• Comrpomised website [information omitted]
• 50.28.90.135 - www.zufeltaffiliatecenter.com - Redirect (32x32 gate)
• 162.248.243.78 - qwe.tributarykamarupan.us - Angler EK
• various IP addresses - various domains - Post-infection traffic (see below)

 

32X32 GATE & ANGLER EK:

• 14:19:28 UTC - 50.28.90.135:80 - www.zufeltaffiliatecenter.com - POST /0228e197968ac41f4774242a6ee2ee4a.php?q=1609b934bf402e7b15ed41914a8e6f79
• 14:19:40 UTC - 162.248.243.78:80 - qwe.tributarykamarupan.us - GET /e8evh73tam
• 14:19:45 UTC - 162.248.243.78:80 - qwe.tributarykamarupan.us - GET /QLvr-FaKfRFQ1NDRtADo_alL-LqmHnwb_k0uCwZwJmn6EVbnbBHaeA9sZxxFSMku
• 14:19:52 UTC - 162.248.243.78:80 - qwe.tributarykamarupan.us - GET /zmkSf3atQUMhmKnWVDz7FMp9V2Poln29_i4Qivp6ogRIEdH4wb_-owsx8x74L028
• 14:19:56 UTC - 162.248.243.78:80 - qwe.tributarykamarupan.us - GET /u60we_P7vn4V0KLJUfsuyayIHVkAVXPz0Lb8wpU5jPWMYwjheCw0UuYllsLDpz5e

 

POST-INFECTION CALLBACK TRAFFIC:

• 14:19:52 UTC - 192.168.204.141:49433 - 208.113.226.171:80 - www.earthtools.org - POST /timezone/0/0
• 14:19:53 UTC - 192.168.204.141:49435 - 172.233.177.31:80 - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 14:19:54 UTC - 192.168.204.141:59728 - 192.168.204.2:53 - DNS query for: kwmhhaagklqszwz.com
• 14:19:54 UTC - 192.168.204.141:52616 - 192.168.204.2:53 - DNS query for: pkzaafdeizhy.com
• 14:19:54 UTC - 192.168.204.141:60882 - 192.168.204.2:53 - DNS query for: zaiikuhswmrcoiwj4.com
• 14:19:54 UTC - 192.168.204.141:57649 - 192.168.204.2:53 - DNS query for: gbazfyxaumpovbr.com
• 14:19:55 UTC - 192.168.204.141:49387 - 192.168.204.2:53 - DNS query for: wennpeotnjcs2.com
• 14:19:55 UTC - 192.168.204.141:53761 - 192.168.204.2:53 - DNS query for: zapjqdvxofcdhog6.com
• 14:19:56 UTC - 192.168.204.141:49232 - 192.168.204.2:53 - DNS query for: brcawlfcefxvot1.com
• 14:19:56 UTC - 192.168.204.141:50593 - 192.168.204.2:53 - DNS query for: ptnzyauxicjl.com
• 14:19:56 UTC - 192.168.204.141:58751 - 192.168.204.2:53 - DNS query for: jfqswmhlaqvhtz.com
• 14:19:56 UTC - 192.168.204.141:65103 - 192.168.204.2:53 - DNS query for: vbgvaaqmokmdno.com
• 14:19:57 UTC - 192.168.204.141:60220 - 192.168.204.2:53 - DNS query for: kxpvptnqnuhxxzjh.com
• 14:19:57 UTC - 192.168.204.141:63231 - 192.168.204.2:53 - DNS query for: obioxokqsmlt7.com
• 14:19:57 UTC - 192.168.204.141:51255 - 192.168.204.2:53 - DNS query for: qsnxeypwkqyww4.com
• 14:19:58 UTC - 192.168.204.141:55808 - 192.168.204.2:53 - DNS query for: nclyvqjzsmjzcgesfs.com
• 14:19:58 UTC - 192.168.204.141:63643 - 192.168.204.2:53 - DNS query for: fcqrjunbaczgnjozp.com
• 14:19:58 UTC - 192.168.204.141:65212 - 192.168.204.2:53 - DNS query for: sgggvajcizq7.com
• 14:19:58 UTC - 192.168.204.141:64604 - 192.168.204.2:53 - DNS query for: asicwtviznbuq6q.com
• 14:19:58 UTC - 192.168.204.141:49421 - 192.168.204.2:53 - DNS query for: qbhioecbkgodyw.com
• 14:19:59 UTC - 192.168.204.141:49436 - 188.165.202.162:443 - HTTPS traffic to: pvwumhepqpm18.com   [after successful DNS query]

• 14:20:21 UTC - 192.168.204.141:49438 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/ping.php
• 14:20:22 UTC - 192.168.204.141:49439 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/ping.php
• 14:20:23 UTC - 192.168.204.141:49438 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/ping.php
• 14:20:50 UTC - 192.168.204.141:49440 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php
• 14:20:51 UTC - 192.168.204.141:49441 - 173.194.112.177:80 - www.google.com - GET /webhp
• 14:20:52 UTC - 192.168.204.141:49442 - 173.194.112.191:80 - www.google.co.uk - GET /webhp?gfe_rd=cr&ei=Q3YlVLbTGcqH8QeZ-4HQBg
• 14:20:55 UTC - 192.168.204.141:49440 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php
• 14:23:52 UTC - 192.168.204.141:49444 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php
• 14:23:53 UTC - 192.168.204.141:49444 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php
• 14:23:53 UTC - 192.168.204.141:49444 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php
• 14:23:54 UTC - 192.168.204.141:49444 - 91.230.60.48:80 - overclockguides.su - POST /.FxnMm/.L/.p3hn3P97Hm74/.7V/log.php

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-26-Angler-EK-flash-exploit.swf
File size:  75.3 KB ( 77062 bytes )
MD5 hash:  3bb7e6d79427d1292bbea878dfcd374d
Detection ratio:  1 / 55
First submission:  2014-09-25 07:53:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7dd2e7c9ea04c0dfd7630ce063fb1efea55f97b7e5779f22ad165e777b4b3a99/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-26-Angler-EK-malware-payload.dll
File size:  169.0 KB ( 173008 bytes )
MD5 hash:  fdc0b0a00d538baa62e715720f87ca61
Detection ratio:  18 / 49
First submission:  2014-09-26 16:05:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cc89927c34ce6f2e239809b609f8d4d2eec07a455731919ea94709a8aa0467ca/analysis/

 

DROPPED MALWARE:

File name:  qaty.exe
File size:  284.5 KB ( 291328 bytes )
MD5 hash:  92235be8cb3816e15ea608a492ae1fb7
Detection ratio:  3 / 55
First submission:  2014-09-26 16:06:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d9890fa2f01cfd5872ff0598dd90dc4b0dae36ef4ce1de9665387bc3a50e6fb/analysis/

NOTE: The same binary was also stored as a hidden file at:
C:\ProgramData\Windows Genuine Advantage\{34320C46-8F7C-44A3-97EB-553B2E4E3FF4}\msiexec.exe

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-26 14:19:28 UTC - 192.168.204.141:49430 - 50.28.90.135:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
• 2014-09-26 14:19:42 UTC - 162.248.243.78:80 - 192.168.204.141:49431 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 2014-09-26 14:19:48 UTC - 162.248.243.78:80 - 192.168.204.141:49432 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-09-26 14:20:21 UTC - 192.168.204.141:49438 - 91.230.60.48:80 - ET TROJAN Zbot POST Request to C2 (sid:2019141)
• 2014-09-26 14:20:21 UTC - 192.168.204.141:49438 - 91.230.60.48:80 - ET TROJAN Zeus POST Request to CnC - URL agnostic (sid:2013976)
• 2014-09-26 14:20:22 UTC - 91.230.60.48:80 - 192.168.204.141:49438 - ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment (sid:2016742)
• 2014-09-26 14:20:23 UTC - 192.168.204.141:49438 - 91.230.60.48:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 2014-09-26 14:20:51 UTC - 192.168.204.141:49441 - 173.194.112.177:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (no including preprocessor events):

• 2014-09-26 14:19:28.913398 192.168.204.141:49430 - 50.28.90.135:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
• 2014-09-26 14:19:48.384569 162.248.243.78:80 - 192.168.204.141:49432 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-09-26 14:19:53.793336 162.248.243.78:80 - 192.168.204.141:49434 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-09-26 14:20:20.409164 192.168.204.141:50715 - 192.168.204.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x2)
• 2014-09-26 14:20:21.985462 192.168.204.141:49438 - 91.230.60.48:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x2)
• 2014-09-26 14:20:22.123061 192.168.204.141:49439 - 91.230.60.48:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious in page from compromised website:

 

Redirect pointing to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

An example of callback traffic from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-09-26-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-09-26-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.