2014-01-20 - ANOTHER STYX EK EXAMPLE

ASSOCIATED FILES:

 

NOTES:

Here's a quick post for the PCAP and malware on a Styx EK infection, very similar to the traffic I covered on 2013-12-27.  All times listed below are from the PCAP and use Central Standard Time (GMT minus 6 hours).

 

TRAFFIC

The original referer was the result of a Google search:

A series of redirects:

Goes to a landing page:

After various HTTP GET requests for images from www1.z18hg770fv466u.4pu.com, the exploit traffic folows:

 

MALWARE

 

File name:  EYlntXRw.jar
File size:&bnsp; 27.8 KB ( 28515 bytes )
MD5 hash:  89e470fcc466d648c205a91daac17aa8
VirusTotal link:  https://www.virustotal.com/en/file/79c63c54ba9e911a808a72ea418e079932029eb48c199b183471fbfcbfe0904b/analysis/
Detection ratio:  4 / 49
First submission:  2014-01-20 23:33:20 GMT

 

File name:  glrgdcieqhaurbaiksf.exe
File size:&bnsp; 895.0 KB ( 916480 bytes )
MD5 hash:  956ca1c210e24c6168a84ea2733f7508
VirusTotal link:  https://www.virustotal.com/en/file/da365d911bed34e66c5335ad1413e4f0b4cfd1d244e0fd03331359b77aeef1ad/analysis/
Detection ratio:  17 / 48
First submission:  2014-01-20 23:33:31 GMT

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.