ccesar Posted February 27, 2014 Report Share Posted February 27, 2014 2014-02-26 - ANGLER EK - SILVERLIGHT EXPLOIT DELIVERS GRAFTOR/ZBOT VARIANTPCAP AND MALWAREPCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcapZIP file of the malware: 2014-02-26-Angler-EK-malware.zipNOTESThis is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013:Cybercriminals target Silverlight browser plug-in users with new exploit kit | PCWorldCHAIN OF EVENTSASSOCIATED DOMAINS206.188.192.114 - kaplanbenefits.com - Used by malicious link from phishing email.31.170.161.196 - Web hosting, domain names, VPS - 000webhost.com - First redirect (unsuccessful)62.149.130.229 - Dea Comunicazione - siti web, software, grafica pubblicitaria - Second redirect (successful)23.239.12.68 - northerningredients.com - Angler EK domainINFECTION CHAIN OF EVENTS02:56:38 UTC - 192.168.204.175:49380 - 206.188.192.114:80 - kaplanbenefits.com - GET /balanced/index.html02:56:39 UTC - 192.168.204.175:49382 - 31.170.161.196:80 - Web hosting, domain names, VPS - 000webhost.com - GET /ruder/pinpoints.js02:56:39 UTC - 192.168.204.175:49381 - 62.149.130.229:80 - Dea Comunicazione - siti web, software, grafica pubblicitaria - GET /distincter/retorted.js02:56:39 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /own0woz7z302:56:40 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt02:56:43 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj602:56:45 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /favicon.ico02:56:51 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFePOST-INFECTION CALLBACK TRAFFIC02:58:06 UTC - 192.168.204.175:49391 - 173.194.77.104:80 - Google - GET /UDP traffic from 192.168.204.175 (the infected host) to several dozen IP addresses on various portsPRELIMINARY MALWARE ANALYSISSILVERLIGHT EXPLOITFile name: 2014-02-26-Angler-EK-silverlight-exploit.xapFile size: 53.0 KB ( 54292 bytes )MD5 hash: 54437862cb93c253e97f7b653917384eDetection ratio: 0 / 50First submission: 2014-02-25 01:01:06 UTCVirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/MALWARE PAYLOADFile name: fegyko.exeFile size: 331.0 KB ( 338944 bytes )MD5 hash: 0e1baf2546a3cd0544e333715d95ab3dDetection ratio: 14 / 50First submission: 2014-02-26 03:50:33 UTCVirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/Malwr link: https://malwr.com/analysis/YTFhNWVlNDg3YmMxNGNlNGIyNGNhYjYyMWViOWY0Nzk/This is the malware payload after it copied itself to a foldernamed Xeoram in the AppData\Roaming\ directory.SNORT EVENTSSNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)2014-02-26 02:56:39 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler Landing Page Feb 24 20142014-02-26 02:56:40 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET SHELLCODE Possible Encoded %90 NOP SLED2014-02-26 02:56:43 UTC - 23.239.12.68:80 -> 192.168.204.175:49387 - ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 20132014-02-26 02:56:52 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013HIGHLIGHTS FROM THE TRAFFICThe infected web page - kaplanbenefits.com/balanced/index.htmlSuccessful redirect - www.deacomunicazione.it/distincter/retorted.jsAngler EK delivers Silverlight exploit - northerningredients.com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0TtAngler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh northerningredients.com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg northerningredients.com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFeNOTE: When I tried XOR-ing both versions of the file from the PCAP, they both had the same MD5 hash, but it was different than the hash for a file named fegkyo.exe in the AppData\Roaming\Xeoram folder. Fegkyo.exe is the exact same size as the files from the PCAP, and it's presumably a copy of the properly deobfuscated malware payload. When I sent the deobfucated files I extracted from the PCAP to Virus Total and Malwr, they were marked as corrupt.FINAL NOTESOnce again, here are links for PCAP file of the traffic and ZIP file of the associated malware:PCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcapZIP file of the malware: 2014-02-26-Angler-EK-malware.zipThe ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.Click here to return to the main page.Sursa: Malware-Traffic-Analysis.net - 2014-02-26Continuare Malware-Traffic-Analysis.net - 2014-02-27 Quote Link to comment Share on other sites More sharing options...
sleed Posted February 28, 2014 Report Share Posted February 28, 2014 Interesant... AI inteles ceva de acolo? Quote Link to comment Share on other sites More sharing options...
ccesar Posted February 28, 2014 Author Report Share Posted February 28, 2014 De inteles, in principiu am inteles ce se intampla, dar pentru chestiile de detaliu mai trebuie studiat. Oricum, exploit kiturile mi se par interesante ca si functionare dar e o curiozitate personala ca sa zic asa si nu prea am timp. Quote Link to comment Share on other sites More sharing options...
