2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE

ASSOCIATED FILES:

 

NOTES:

I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS.  In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.


Screen shot from the infected VM.

Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here.  Let's see what the infection traffic looks like...

SNORT EVENTS

 

I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25.  The infection traffic generated the following events in Sguil (all times GMT):

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

POST INFECTION CALLBACK TRAFFIC

 

INFECTION TRAFFIC DETAILS

IP address: 84.124.94.27 port 80
domain name: musculosysexo.com
HTTP request: GET /

Sguil events: None

Screenshot of traffic:


I couldn't figure out how it got from here to the next step in the infection chain.

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/index.html

Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/swfobject.js

Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/jpg.js

Sguil event: ET INFO JAVA - ClassID?

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/vekqkr2.jpg

Sguil events:

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class

Sguil events:

NOTE: These HTTP GET requests all returned a response of 404 Not Found

 

IP address: 223.130.89.28 port 80
domain name: www.dcart.co.kr
HTTP request: GET /kcp/winlog.exe

Sguil event: ET POLICY PE EXE or DLL Windows file download

Screenshot of traffic:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 211.233.50.214 port 80 (www.inkwa.co.kr):

https://www.virustotal.com/en/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa/analysis/1384564026/

File name:  2013-11-15-java-exploit.jar
File size:  2.4 KB ( 2463 bytes )
MD5 hash:  c0d693e9c3c41c217541f5db7de6f459
Detection ratio:  9 / 46
First submitted:  2013-11-16 01:07:06 GMT
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.

Java archive: contents:

Malicious binary downloaded from 223.130.89.28 port 80 (www.dcart.co.kr):

https://www.virustotal.com/en/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0/analysis/1384564048/

File name:  2013-11-15-malicious-binary.exe
File size:  45.5 KB ( 46592 bytes )
MD5 hash:  1297b79f039b802fc09bcada1d3763e7
Detection ratio:  12 / 46
First submitted:  2013-11-15 14:49:21 GMT

Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy.  Unruy appears to be a Trojan downloader.  We saw it call out, but no additional malware was downloaded in this case.

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.