2014-02-13 - GOON EK DELIVERS MALWARE, CAUSES ASPROX ALERTS

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

NOTE: A Java exploit was sent from the Goon EK domain; however, no malware payload was noted from this second exploit.

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  updater.xap
File size:  7.2 KB ( 7327 bytes )
MD5 hash:  8a5c23736c65739bdcfad1c33ed41bdb
Detection ratio:  2 / 50
First submission:  2014-02-10 19:15:38 UTC
VirusTotal link: https://www.virustotal.com/en/file/1794c42f883ce99b2bf413e957069ebd309ef7e2dba41ce254b2ca099f667e15/analysis/

 

JAVA EXPLOIT

File name:  updater.jar
File size:  18.6 KB ( 19007 bytes )
MD5 hash:  6cd62c69bfe045c3b374eb6e3e303369
Detection ratio:  3 / 48
First submission:  2014-02-15 06:45:38 UTC
VirusTotal link: https://www.virustotal.com/en/file/40a45b168a2db1534168af63d5f18b5a7085262034eb161d4f1475c6475bc468/analysis/

 

MALWARE PAYLOAD

File name:  EXE-payload-from-paisasantcugat.com.exe
File size:  119.3 KB ( 122169 bytes )
MD5 hash:  b1b2543304637dc676b3a6bcb8ab5050
Detection ratio:  6 / 50
First submission:  2014-02-15 06:46:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/33af483a19b4f42290dc2f6b7a0f97a4fedd714b1172aa8664295765dbad4dbc/analysis/

 

FOLLOW-UP MALWARE

File name:  c41a960809eebe13b1fad7d2829b5478
File size:  142.5 KB ( 145887 bytes )
MD5 hash:  c41a960809eebe13b1fad7d2829b5478
Detection ratio:  13 / 50
First submission:  2014-02-15 06:38:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/09e49e71e0b697eadf68bda09f575dbe0661f2910c5a1ad71f13c65d71fe7797/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THIS GOON EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - planningperspectives.ca/

 

Redirect - asdpietroguarino.ilbello.com/post.php?id=745413

 

Goon EK delivers Silverlight exploit - paisasantcugat.com/viewer/updater.xap

 

Silverlight exploit delivers EXE payload - paisasantcugat.com/56615037.mp3

NOTE: The payload is XOR-ed with the ASCII string: m3S4V

 

Goon EK delivers Java exploit (no follow-up malware payload noted) - paisasantcugat.com/viewer/updater.ja

 

Post-infection, first Asprox-style call for more malware - milk-mass.com/libz29.64/jquery/

 

Post-infection, second Asprox-style call for more malware - milk-mass.com/w56/soft32.dll

 

An example of the Asprox-style callback traffic - cioco-froll.com/b/opt/D6F3CC1258C05EEB3AA74985

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.