2015-01-30 - ANGLER EK FROM 178.32.131[.]248 - 6JD5C9.CKK.CREACIONESLITERARIAS-KIRK[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-01-30-Angler-EK-traffic.pcap.zip
• 2015-01-30-Angler-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 178.32.131[.]248 - 6jd5c9.ckk.creacionesliterarias-kirk[.]com - Angler EK

 

ANGLER EK:

• 2015-01-30 17:14:02 UTC - 6jd5c9.ckk.creacionesliterarias-kirk[.]com - GET /awbveczgfe
• 2015-01-30 17:14:04 UTC - 6jd5c9.ckk.creacionesliterarias-kirk[.]com - GET /V0tvbfLrxecFkWz53lrSU46AK3JR_KcPelPkUqvi5esGwoX4Jp42TRoGKHKZWIMu
• 2015-01-30 17:14:05 UTC - 6jd5c9.ckk.creacionesliterarias-kirk[.]com - GET /ZJxYON2cJHpi4w5NkP58X01ORp_DNnODm3OnBBUDeE2282lTkElOmlqxSgOZhyhW

 

ALERTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 178.32.131[.]248 port 80 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 178.32.131[.]248 port 80 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
• 178.32.131[.]248 port 80 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (6) (sid:2020071)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 178.32.131[.]248 port 80 - [1:32390:1] EXPLOIT-KIT Angler exploit kit landing page detected
• 178.32.131[.]248 port 80 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download
• 178.32.131[.]248 port 80 - [1:17276:15] FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT:

File name:  2015-01-30-Angler-EK-silverlight-exploit.xap
File size:  46,525 bytes
MD5 hash:  8581593f5a5bccd27540eec5747c7259
Detection ratio:  0 / 57
First submission to VirusTotal:  2015-01-30 19:58:52 UTC

 

MALWARE PAYLOAD:

File name:  2015-01-30-Angler-EK-malware-payload.exe
File size:  442,372 bytes
MD5 hash:  8cbe696ba8747078189104ada18c9eb3
Detection ratio:  10 / 56
First submission to VirusTotal:  2015-01-30 20:10:10 UTC

 

Click here to return to the main page.