Notes
  • This domain has been seen many times before...
  • Still pwned with Angler EK, and it didn't even host actual content! Just an Apache config page this time
  • Last time I saw this domain, it was hosting RIG EK, and can be seen here and also here
  • Pony/Fareit/Rovnix payload from what I can tell
PCAP and Malware
Network Traffic
Compromised Domain and Redirection

2015-05-20 05:29:54 UTC - 31.187.70.66 - cupidfunda.com - GET /

Malicious redirect from compromised domain:

Decoded the gzipped content of redirect, using CapTipper's ungzip command

Angler EK Traffic

2015-05-20 05:29:55 UTC - 92.222.42.184 - lexus.modificationscruz.xyz - GET /apeman-flue-ineffectualness-taxi/40322724179481038
2015-05-20 05:29:57 UTC - 92.222.42.184 - lexus.modificationscruz.xyz - GET /Ntueo4JCOzu2i2mS0eVn00Ftm5ku6GXDX6ddws4RevY8mATA
2015-05-20 05:29:58 UTC - 92.222.42.184 - lexus.modificationscruz.xyz - GET /wDWdytJXiv320EU7Gb8ULwxXQ5v4Oeof0cYJqgwMzmptwpfX

Angler EK Post-Infection Traffic

2015-05-20 05:30:08 UTC - 93.170.131.30 - modelstarinvo.com - POST /gate.php
2015-05-20 05:30:09 UTC - 213.186.33.3 - careers.efront.com - GET /wp-content/plugins/cached _ data/e.exe
2015-05-20 05:30:12 UTC - 208.84.148.109 - capcollision.com - GET /wp-content/plugins/cached _ data/e.exe

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8

2015-05-20 05:29:55 UTC - 92.222.42.184:80 -> 192.168.40.14:49412 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M2
2015-05-20 05:29:55 UTC - 92.222.42.184:80 -> 192.168.40.14:49412 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M3
2015-05-20 05:29:55 UTC - 92.222.42.184:80 -> 192.168.40.14:49412 - ETPRO CURRENT EVENTS Angler EK Landing T1 April 29 2015 M5
2015-05-20 05:29:58 UTC - 192.168.40.14:49413 -> 92.222.42.184:80 - ET CURRENT EVENTS Angler EK Payload DL M1 Feb 06 2015
2015-05-20 05:29:58 UTC - 92.222.42.184:80 -> 192.168.40.14:49413 - ETPRO CURRENT EVENTS Angler EK Payload T1 April 29 2015 M2
2015-05-20 05:29:58 UTC - 92.222.42.184:80 -> 192.168.40.14:49413 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-05-20 05:29:58 UTC - 192.168.40.14:49412 -> 92.222.42.184:80 - ET POLICY Outdated Windows Flash Version IE
2015-05-20 05:29:58 UTC - 192.168.40.14:49412 -> 92.222.42.184:80 - ET CURRENT EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015
2015-05-20 05:30:08 UTC - 192.168.40.14:49415 -> 93.170.131.30:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-05-20 05:30:09 UTC - 192.168.40.14:49415 -> 93.170.131.30:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-05-20 05:30:11 UTC - 192.168.40.14:49416 -> 213.186.33.3:80 - ET TROJAN Possible Graftor EXE Download Common Header Order
2015-05-20 05:30:11 UTC - 192.168.40.14:49416 -> 213.186.33.3:80 - ET TROJAN Single char EXE direct download likely trojan (multiple families)
2015-05-20 05:30:11 UTC - 192.168.40.14:49416 -> 213.186.33.3:80 - ET CURRENT EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2015-05-20 05:30:12 UTC - 192.168.40.14:49417 -> 208.84.148.109:80 - ET TROJAN Possible Graftor EXE Download Common Header Order
2015-05-20 05:30:12 UTC - 192.168.40.14:49417 -> 208.84.148.109:80 - ET TROJAN Single char EXE direct download likely trojan (multiple families)
2015-05-20 05:30:12 UTC - 192.168.40.14:49417 -> 208.84.148.109:80 - ET CURRENT EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2015-05-20 05:30:12 UTC - 208.84.148.109:80 -> 192.168.40.14:49417 - ET POLICY PE EXE or DLL Windows file download HTTP

Preliminary Malware Analysis

Angler EK Payload

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates