Angler exploits flash version 20,0,0,306 sending Vawtrak


NOTES:
A couple of days ago, popular website Malware don’t need Coffee reported Anglers Exploit Kit was exploiting flash version 20,0,0,306.
Earlier today Malware-Traffic-Analysis posted a TeslaCrypt infection after Angler exploited flash version 20,0,0,306.
Today during an infection chain Angler exploited flash versionĀ  20,0,0,306 infecting my computer with Vawtrak. See details below.

 

ASSOCIATED DOMAINS:

  • ebonyshoes.com – COMPROMISED SITE
  • 89.108.83.124 – swing.qfireconsulting.com – GET /topic/ – ANGLER EK LANDING PAGE
  • 64.32.26.89 – nordijors.com – POST /data/feeder – Vawtrak POST INFECTION TRAFFIC
  • 107.155.120.185 – lokagbuuses.com – POST /data/feeder – Vawtrak POST INFECTION TRAFFIC
  • 95.213.139.116 – GET /module/ – Vawtrak POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Referer from Angler landing page to exploit flash file version 20,0,0,306

 

Shown above: Extraction of flash file for analysis. File appears slightly larger than the norm of 74 kB

 

Shown above: Vawtrak post infection traffic

 

Shown above: Vawtrak .dll file set to run at start-up in the registry file

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 967735cd3113c513da5b1bbcd4d9f4ac – 2016-03-28-swing-qfireconsulting-com-Angler-EK.swf
    Virus Total Link
  • 5a6356486a540d4f7d3613970537f473 – 2016-03-28-swing-qfireconsulting-com-Vawtrak.dll
    Virus Total Link