2014-01-31 - TWO EXAMPLES: GOON EK AND DOTKACHEF EK

ASSOCIATED FILES:

 

NOTES:

Here are two examples of infection traffic and associated malware that I captured in the past few days...

 

EXAMPLE 1: GOON EK USES SILVERLIGHT EXPLOIT ON 2014-01-27

NOTE:  I've already looked at Goon EK traffic before in these blog entries:

This time, the Goon EK domain used a Microsoft Silverlight exploit.

 

SNORT EVENTS ON 2014-01-27

 

ASSOCIATED DOMAINS

 

INFECTION CHAIN OF EVENTS

NOTE: The pcap also has the following post-infection callback traffic:

 

File name:  2014-01-27-Goon-EK-silverlight-exploit.xap
File size:  6.9 KB ( 7039 bytes )
MD5 hash:  8e7a86c7d27d1eea7df0534b8879022f
Virus Total link:  https://www.virustotal.com/en/file/1440714aeae4db23b3536cf88041d5bb84edd86e9f851b747df958f64293156a/analysis/
Detection ratio:  2 / 49
First submitted:  2014-01-26 15:29:10 UTC

 

File name:  2014-01-27-Goonk-EK-malware-payload.exe
File size:  217.0 KB ( 222208 bytes )
MD5 hash:  d343946f3100566fa9949dd0d5ad2fac
Virus Total link:  https://www.virustotal.com/en/file/ea7c1b1e79b041f9a76e92d7fc6bfd26150f0a58eb43ebd9c0e12eff55490370/analysis/
Detection ratio:  26 / 50
First submitted:  2014-01-28 19:51:30 UTC

 

File name:  2014-01-27-additional-malware.exe
File size:  85.1 KB ( 87170 bytes )
MD5 hash:  dcc1f720310928b86de4c7efe19866a7
Virus Total link:  https://www.virustotal.com/en/file/1a111faf9e50408f5fa9d9150694b86669dbfba2e768041394855780c0cd0936/analysis/
Detection ratio:  33 / 50
First submitted:  2014-02-01 02:40:00 UTC

 

EXAMPLE 2: DOTKACHEF EK DELIVERS JAVA EXPLOIT ON 2014-01-31

NOTE:  For a more in-depth analysis of DotkaChef EK traffic, see my previous blog entry on the subject:

 

SNORT EVENTS ON 2014-01-31

 

ASSOCIATED DOMAINS

 

INFECTION CHAIN OF EVENTS

 

File name:  2014-01-31-DotkaChef-java-exploit.jar
File size:  10.8 KB ( 11039 bytes )
MD5 hash:  3aa7cb2d4f808919f507fc9eca1a43d8
Virus Total link: 
Detection ratio:  4 / 46
First submitted:  2014-01-30 13:42:12 UTC
Malwr link:  https://www.virustotal.com/en/file/983d843249c19194332205c4c343f356512295a703382140d5948158f793b6b8/analysis/

 

File name:  2014-01-31-DotkaChef-EXE-payload.exe
File size:  90.7 KB ( 92887 bytes )
MD5 hash:  7ccefe3039a0c7c65ee3a532e7699b9a
Virus Total link:  https://www.virustotal.com/en/file/9ebe114525fa6381aa3d518f491e3f2e0b2fe960b15a855608e7ca95231da5a2/analysis/
Detection ratio:  27 / 50
First submitted:  2014-01-30 22:07:25 UTC

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.