2014-03-07 - GOON/INFINITY EK DELIVERS ZBOT-STYLE TROJAN

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-07-Goon-EK-java-exploit.jar
File size:  10.3 KB ( 10562 bytes )
MD5 hash:  1daaf8bad4ff2d200e2a959eb7ed26c4
Detection ratio:  11 / 50
First submission:  2014-03-05 04:33:35 UTC
VirusTotal link: https://www.virustotal.com/en/file/9881952d5f635a21f90701b8be3febd76e77d1ac587d64535ad21fbd5d933f72/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-07-Goon-EK-malware-payload.exe
File size:  261.0 KB ( 267264 bytes )
MD5 hash:  ed63d80b2a9aee91d94820da989386c0
Detection ratio:  2 / 50
First submission:  2014-03-07 04:14:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/58bd3117d3f8aa069084f966b723e2830533c6d95f62f76a18e4d459607a03de/analysis/
Malwr link: https://malwr.com/analysis/N2I2ZTg3MTM4OTAwNDBjNzhiN2JmNGY5MGIzYzY5YzE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript from the infected web page - www.mycakery.nl/

 

One of the redirects - api.autoinkoop.nl/clik.php?id=4420090

 

Goon/Infinity EK delivers Java exploit - cezar.freha.pl/201403/867231966.jar

 

Java exploit delivers EXE payload - cezar.freha.pl/201403/444703.mp3

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.