2015-05-05 - ANGLER EK FROM 94.242.255[.]53

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-05-05-Angler-EK-traffic-3-pcaps.zip
• 2015-05-05-Angler-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 94.242.255[.]53 - citerasnonassistance.continuumconsultinggroup[.]com - Angler EK
• 146.185.221[.]157 - uptodayscale[.]eu - Post-infection traffic
• 46.151.52[.]114 - mastertodayversion[.]eu - Another post-infection domain revealed by malware analysis tools

 

ANGLER EK:

• 2015-05-05 18:38:34 UTC - citerasnonassistance.continuumconsultinggroup[.]com - GET /redefining-foiled-swallow-leers/747343778325171996
• 2015-05-05 18:38:36 UTC - citerasnonassistance.continuumconsultinggroup[.]com - GET /Y0EyOn-XLACecJ5rZ5RrwHApgrEziy8RfVl1ZSpzWeXPh3W_
• 2015-05-05 18:38:37 UTC - citerasnonassistance.continuumconsultinggroup[.]com - GET /5PP-aW2noAVvvUUH6xUe8ucK_bgfxGSgL6ubu2zN_mMo7YZQ
• 2015-05-05 18:38:39 UTC - citerasnonassistance.continuumconsultinggroup[.]com - GET /Lzh71F0GMFAG5SADzIy7tO8pnmMzt13hRm5stI9APYPITUIC

 

POST-INFECTION TRAFFIC:

• 2015-05-05 18:40:44 UTC - uptodayscale[.]eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52
• 2015-05-05 18:40:54 UTC - uptodayscale[.]eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52
• 2015-05-05 18:41:05 UTC - uptodayscale[.]eu - POST /a/offers?i=0&u=413fa89c0006444ebb825a66b36f6b27&f=1&v=22&a=52

 

ADDITIONAL INFO FROM MALWARE ANALYSIS TOOLS:

• 2015-05-05 at approx 19:05 UTC - DNS query for mastertodayversion[.]eu - resolved to 46.151.52[.]114
• Subsequent TCP connection attempts to 46.151.52[.]114 returned ICMP message Destination unreachable (Host unreachable)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-05-05-Angler-EK-flash-exploit.swf
File size:  55,227 bytes
MD5 hash:  56c207b084da0e3695eb16c89f503b84
Detection ratio:  2 / 57
First submission to VirusTotal:  2015-05-05 16:52:41 UTC

 

MALWARE PAYLOAD:

File name:  2015-05-05-Angler-EK-malware-payload.exe
File size:  65,536 bytes
MD5 hash:  3d496f0793cfcb63afe20e02426fc465
Detection ratio:  3 / 57
First submission to VirusTotal:  2015-05-05 19:02:08 UTC

 

Click here to return to the main page.