2013-07-21 - BLACKHOLE EK FROM 176.119.5.7 - DOMENICOSSOS.COM

PCAP AND MALWARE:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

BLACKHOLE EK:

 

POST-INFECTION TRAFFIC FROM THE PCAP:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-21-Blackhole-EK-java-exploit.jar
File size:  30.6 KB ( 31339 bytes )
MD5 hash:  f472177c3d4f8d76cacb20c3a092a2cc
Detection ratio:  20 / 52
First submission:  2013-07-18 23:41:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54715c17cfdfe27e618fb467f8b9cfed6ab2e1cc438a1e7aebb9e6c1e039b066/analysis/

 

MALWARE PAYLOAD 1 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-calc.exe
File size:  340.0 KB ( 348160 bytes )
MD5 hash:  94fe26c6d39dc6d5c8f478393cada652
Detection ratio:  41 / 55
First submission:  2013-07-18 17:00:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54cc576e2acd83ed9e530184d481c5b7e3423056b81aac072c367426d7319617/analysis/

 

MALWARE PAYLOAD 2 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-info.exe
File size:  207.0 KB ( 211968 bytes )
MD5 hash:  1a495c98798cde496bc1f1bc7e7d7280
Detection ratio:  43 / 54
First submission:  2013-07-18 08:20:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee56edd7d9aad3e98ac77f23318bb2b828d9be0075ba2a771de58de7c1587cba/analysis/

 

MALWARE PAYLOAD 3 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-readme.exe
File size:  100.5 KB ( 102912 bytes )
MD5 hash:  b9a3ab785a10deaa2226afea15c392ed
Detection ratio:  40 / 53
First submission:  2013-07-12 17:30:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/43565420246215bef3f02615166e38eaec4cde9d77c59f322c99421d1693649c/analysis/

 

SNORT EVENTS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website (link from a spam email):

 

Sutra TDS redirect:

 

Blackhole EK landing page:

 

Blackhole EK sends java exploit:

 

Blackhole EK sends 3 different malware payloads:

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.