2014-03-10 - GOON/INFINITY EK SENDS BITCOIN MINER

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD FROM IE EXPLOIT

File name:  2014-03-10-Goon-EK-malware-payload.exe
File size:  32.0 KB ( 32768 bytes )
MD5 hash:  386abd39407d74dfcce649dd72318686
Detection ratio:  2 / 50
First submission:  2014-03-10 00:50:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/3cbae1ddbb65f12862e169270b1688dee4344040015c2389393481272a490d19/analysis/
Malwr link: https://malwr.com/analysis/NzNhMWYyY2E1NmE1NDczNGFlM2FlMjM5MzNiZDI5YTY/

Associated registry key update and the location this malware copied itself to:

 

JAVA EXPLOIT SENT AFTER THE IE EXPLOIT ALREADY INFECTED THE HOST

File name:  2014-03-10-Goon-EK-java-exploit.jar
File size:  10.9 KB ( 11117 bytes )
MD5 hash:  0c240e5e341aedcf2109d5455487d338
Detection ratio:  10 / 50
First submission:  2014-03-10 00:54:34 UTC
VirusTotal link: https://www.virustotal.com/en/file/d2e9c147dd002c012ebfacc810d3a9ef9031abeb627d3c380094870e2db457c1/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Landing page for Goon/Infinity EK and probable CVE-2013-2551 IE exploit - p110501.typo3server.info/editor/8/jquerywrapper.aspx?directory_id=binb

 

IE exploit delivers malware payload - p110501.typo3server.info/4570.mp3


Commonly seen in Goon EK traffic, this EXE file is XOR-ed with the ASCII string: m3S4V

 

Initial post-infection callback, returns approximately 25K of data - pulkahost.com/gate.php?user=fd251a42329c4290869d3b5f6149b335&id=41&type=5&key=e82c9e5b

 

Bitcoin miner traffic over TCP port 3334

 

Goon/Infinity EK delivers Java exploit - p110501.typo3server.info/03/09/2014/archive/Gnktd.jar

 

FINAL NOTES

ASSOCIATED FILES:

NOTES:

Click here to return to the main page.