2014-10-06 - ROTATOR GENERATES ANGLER EK ON 5.135.230[.]183 7DWS8YZ0K2.SDIOUVB[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-06-Angler-EK-traffic.pcap.zip
• 2014-10-06-Angler-EK-malware.zip

 

NOTES:

• Shout out to @thesyntx, who notified me of two rotator URLs for Angler EK traffic.
• I couldn't generate an infection using the URL at arbuz35[.]eu, but I managed to infect a VM from the piealy[.]com rotator.



• As usual, all Angler EK infections I've seen lately are "fileless."
• For more info on these fileless infections, see:  https://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 66.85.190[.]227 - piealy[.]com - Angler EK rotator
• 5.135.230[.]183 - 7dws8yz0k2.sdiouvb[.]com - Angler EK
• Post-infection traffic (see below)

 

ROTATOR AND ANGLER EK:

• 19:53:34 UTC - 66.85.190[.]227:80 - piealy[.]com - GET /dist/video.php
• 19:53:34 UTC - 5.135.230[.]183:80 - 7dws8yz0k2.sdiouvb[.]com - GET /11lbed8ij7
• 19:53:39 UTC - 5.135.230[.]183:80 - 7dws8yz0k2.sdiouvb[.]com - GET /4MDo9ydNKQ0eG-HGf_23ZE9U2b-PLtvgMg1R8JIM7ccHUOTYUQaSzeMZXv6OLQPv
• 19:53:42 UTC - 5.135.230[.]183:80 - 7dws8yz0k2.sdiouvb[.]com - GET /saUN83VG9V8R4988xmj2cGKRK6MLtZEN_xQ0QBgLll1R6V6cNdIO5mejTgS8AJmZ

 

POST-INFECTION TRAFFIC:

• 19:53:42 UTC - www.earthtools[.]org - POST /timezone/0/0
• 19:53:42 UTC - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

• 19:53:43 UTC - [intrernal server]:53 - DNS query for: cnggcrqicplruiki9[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: eqpmlnqzadirebb97[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: qykilulsnqgp[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: pfohvgsdiry4b[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: peelwrxokklnm3[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: pkokklwtotfyyn70[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: syrlplnxefighd[.]com
• 19:53:43 UTC - [intrernal server]:53 - DNS query for: crovoylaolerc[.]com
• 19:53:44 UTC - [intrernal server]:53 - DNS query for: dkducygdmscuseds[.]com
• 19:53:44 UTC - [intrernal server]:53 - DNS query for: wfyycttwlwgp3m[.]com
• 19:53:44 UTC - [intrernal server]:53 - DNS query for: rzmluerezlxyxj8e[.]com
• 19:53:44 UTC - [intrernal server]:53 - DNS query for: tocjvqvkkq4p[.]com
• 19:53:44 UTC - [intrernal server]:53 - DNS query for: zmhudpckkhdzcmhm23[.]com
• 19:53:45 UTC - [intrernal server]:53 - DNS response: zmhudpckkhdzcmhm23[.]com is at 188.165.240[.]108
• 19:53:45 UTC - 188.165.240[.]108:443 - Attempted TCP connection (RST by the server)
• 19:53:50 UTC - [intrernal server]:53 - DNS query for: qnteykwtavpanj[.]com
• 19:53:50 UTC - [intrernal server]:53 - DNS query for: zykdbxbobhldax[.]com
• 19:53:50 UTC - [intrernal server]:53 - DNS query for: jnlpccqtsfgheyc8[.]com
• 19:53:50 UTC - [intrernal server]:53 - DNS query for: qagrklwtsxq78[.]com
• 19:53:50 UTC - [intrernal server]:53 - DNS query for: xynwchkjgelf0y[.]com
• 19:53:51 UTC - [intrernal server]:53 - DNS query for: xrknffpztdpl6g[.]com
• 19:53:51 UTC - [intrernal server]:53 - DNS query for: zvrohnmtkxizjrftj[.]com
• 19:53:51 UTC - [intrernal server]:53 - DNS response: zvrohnmtkxizjrftj[.]com is at 188.165.240[.]108
• 19:53:51 UTC - 188.165.240[.]108:443 - Attempted TCP connection (RST by the server)
• 19:53:57 UTC - [intrernal server]:53 - DNS query for: gwciuyefnodwp[.]com
• 19:53:57 UTC - [intrernal server]:53 - DNS query for: vtmhsldtacooykt8q[.]com

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-06-Angler-EK-flash-exploit.swf
File size:  77,368 bytes
MD5 hash:  2e77d618382e1420313e9f06047e1e61
Detection ratio:  1 / 54
First submission:  2014-10-06 10:50:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cb19baf6a4b65534bfafdb72694967290d6d5f60bd0c4ddbd282f25b878b07d3/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-06-Angler-EK-malware-payload.dll
File size:  1,173,008 bytes
MD5 hash:  f567643c24d8ca31741172135a47ec61
Detection ratio:  19 / 53
First submission:  2014-10-06 20:06:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e8465f9af2398605658f54bb3529de67f0c242245fb10979c5a0b1cb419b5b2d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-06 19:53:35 UTC - 5.135.230[.]183:80 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-10-06 19:53:39 UTC - 5.135.230[.]183:80 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):

• 2014-10-06 19:53:35 UTC - 5.135.230[.]183:80 - [1:31898:1] EXPLOIT-KIT Angler exploit kit landing page detected
• 2014-10-06 19:53:39 UTC - 5.135.230[.]183:80 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-06 19:53:42 UTC - 5.135.230[.]183:80 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download

 

HIGHLIGHTS FROM THE TRAFFIC

Rotator pointing to Angler EK:

 

Angler EK delivering malware payload.  The shellcode and malicious binary are sent together, XOR-ed with the ASCII string: adR2b4nh

 

Deobfuscate the payload, and you can see where the shellcode ends and the malicious binary begins:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

Click here to return to the main page.