Notes
  • Sample via Threatglass
  • Compromised Wix domain has an embedded iframe leading to Angler EK whichs ends up sending Ramnit
  • Unfortuinately, Ramnit communicates exclusively over SSL
  • No malware samples, just PCAP
PCAP and Malware

PCAP here: via Threatglass

Compromised Domain and Redirects

2015-11-27 13:49:51 UTC - 5.45.79.152 - smilevitalize.net - GET /

Angler EK Traffic

2015-11-27 13:49:52 UTC - 5.45.76.200 - vendeta-forum.biz - GET /topic.php?forum=05&topic=61942&postid=1447957328
2015-11-27 13:49:54 UTC - 191.96.66.113 - s65j3qhj.p5f3w7ur.space - GET /civis/search.php?keywords=21648&fid0=155d6ft9b335331r35.8p0
2015-11-27 13:49:56 UTC - 191.96.66.113 - s65j3qhj.p5f3w7ur.space - GET /public.ashx?nothing=-M3ry&press=Nzz8KMRX&manner=tk-4y&social=CbSFBnyso4&experience=Z15oIuVuhLiL4CbJKakP
2015-11-27 13:49:58 UTC - 191.96.66.113 - s65j3qhj.p5f3w7ur.space - GET /town.shtml?democratic=ESp&six=At9wkL5Z&court=&pool=IlP&interest=&success=3xr2mlwGU&put=&obtain=2n8H1gJYlA&therefore=YH0FCwfIv7x4mFS

Post-Infection Ramnit Traffic

SSL traffic to - testetst.ru - 151.248.117.40:443

IDS alerts using the Emerging Threats Pro Ruleset (INFO & POLICY disabled) on Suricata 2.0.8

2015-11-27 13:49:56 UTC - 191.96.66.113:80 -> 192.168.58.10:1048 - ETPRO CURRENT EVENTS Angler EK Landing Nov 18 2015 M1
2015-11-27 13:49:56 UTC - 191.96.66.113:80 -> 192.168.58.10:1048 - ETPRO CURRENT EVENTS Angler EK Landing Nov 18 2015 M3
2015-11-27 13:49:56 UTC - 191.96.66.113:80 -> 192.168.58.10:1048 - ETPRO CURRENT EVENTS Angler EK Landing Nov 18 2015 M4
2015-11-27 13:49:56 UTC - 192.168.58.10:1048 -> 191.96.66.113:80 - ETPRO CURRENT EVENTS Angler or Nuclear EK Flash Exploit (IE) Jun 16 M1 T2
2015-11-27 13:50:02 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:02 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:03 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:04 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:04 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:05 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:05 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:06 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:06 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:07 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:08 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:09 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:10 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:18 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:19 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin
2015-11-27 13:50:21 UTC - 192.168.58.10:1056 -> 151.248.117.40:443 - ET TROJAN Win32/Ramnit Checkin

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates