[ OVERVIEW ]     [ PART 2 OF 4 ]

2014-02-03 PART 1 OF 4 - GOON EK DELIVERS ASPROX-STYLE MALWARE

PCAP AND MALWARE

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST INFECTION CALLBACK TRAFFIC

NOTE: This post-infection callback traffic follows the same pattern I've seen by malware attachments in phishing emails sent by the Asprox botnet.  See my previous blog entries on Asprox malware traffic for a comparsion:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT - looks like an exploit for CVE-2013-2460 (link).

File name:  xmlchecker.jar
File size:  17.4 KB ( 17790 bytes )
MD5 hash:  dd4138f2887fa3e84e7a44518f88db45
Detection ratio:  2 / 46
First submission:  2014-02-05 02:51:22 UTC
VirusTotal link: https://www.virustotal.com/en/file/817cfa351c4992235d30208cfd41055e53fe3399f05f0a0d737962f4e0b162d3/analysis/

 

EXE PAYLOAD - came over the network XOR-ed with the ASCII string: m3S4V

File name:  deobfuscated-payload.exe
File size:  247.6 KB ( 253559 bytes )
MD5 hash:  4b2bb32788ab015d8f9f77d885478c05
Detection ratio:  15 / 51
First submission:  2014-02-05 02:43:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/36936f640dee43e5aa783ebb0f4e39e13d4ac4f7cae6a5fb92570096aa8919cc/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR GOON EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - www.vision-soft.org/main.htm

 

Redirect - www.nationalcavyclub.co.uk/sentstats.php?id=7260759

 

Landing page of the Goon EK domain - ecole-croisiere.com/list/pl/7/B.html

 

Preparing for the Java exploit - ecole-croisiere.com/soft/xmlchecker.txt

 

Delivering the Java exploit - ecole-croisiere.com/soft/xmlchecker.jar

 

Delivering the EXE payload - ecole-croisiere.com/soft/195936.mp3 - which is XOR-ed with the ASCII string: m3S4V

 

FINAL NOTES

Once again, here are links for a ZIP of the traffic and ZIP of the associated malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.  Click here to return to the 2014-02-03 overview.  Click here for part 2 of 4.