2014-03-14 - GOON/INFINITY EK

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  rarscanner.jar
File size:  9.5 KB ( 9694 bytes )
MD5 hash:  44e142184d4b25bc59f638631deb0a2d
Detection ratio:  13 / 50
First submission:  2014-03-14 02:00:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2aac4b6c92ccd26c746434da1965b6e209742ab9d03e33b8de4229a81430ce06/analysis/

 

FIRST MALWARE PAYLOAD

File name:  2014-03-14-Goon-EK-malware-payload-01.exe
File size:  120.0 KB ( 122880 bytes )
MD5 hash:  5967ca15281ec63a9b59a4e57bafcf4d
Detection ratio:  2 / 50
First submission:  2014-03-14 02:00:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/32fc95b56d9bbd96d49928fc6cdce5755cd5b5982b67b1ebcb04ffcef12b4744/analysis/
Malwr link:  https://malwr.com/analysis/ZjkxOTUxNDM1MGNmNDAyNjljZDkzNzcwYTI2ODg3Yzk/

 

SECOND MALWARE PAYLOAD

File name:  2014-03-14-Goon-EK-malware-payload-02.exe
File size:  76.0 KB ( 77828 bytes )
MD5 hash:  e3c3f84285ab617390f6cd2ba6b1258e
Detection ratio:  3 / 50
First submission:  2014-03-14 01:43:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5270ba7da6c3d0423ccc340e2f95ff14bdbf3046f257584dc077e918e71a0b85/analysis/
Malwr link:  https://malwr.com/analysis/MTA4MDQ2NjZlNjQ2NDJlY2I2N2FhYjA2NWYyZDYxMjc/

 

FIRST POST-INFECTION MALWARE RETRIEVED

File name:  UpdateFlashPlayer_88e8e1f7.exe
File size:  152.0 KB ( 155648 bytes )
MD5 hash:  53d11b3100dd08f828c176b8d75e0344
Detection ratio:  2 / 49
First submission:  2014-03-14 02:02:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/709fada5310cdca9cd212e99def6c7681b69430d721caeecf5d7d0ef431224c0/analysis/
Malwr link:  https://malwr.com/analysis/Y2IyMTA5MTU3OWZmNDMyODhjMDJjNWQxNmYxMmJmNjc/

 

SECOND POST-INFECTION MALWARE RETRIEVED

File name:  UpdateFlashPlayer_1d796c6b.exe
File size:  284.7 KB ( 291535 bytes )
MD5 hash:  7bd153f0b306f5c28d62840660b6391e
Detection ratio:  24 / 50
First submission:  2014-03-14 02:02:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9d1f2175072cc8198993c14a035b87a0e202fcee4b007f06022cf4e61f979a1e/analysis/
Malwr link:  https://malwr.com/analysis/ZjBkMWI3NTlhNDM5NDIwMmE5ZmVhODY2OTE5MTEwNTg/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website - autocorporation.ru/

 

Redirect - bst.estebapenghiossewla.com/zyso.cgi?18

 

Java exploit - albertenglish.com/03/14/2014/03/13/2014/rarscanner.jar

 

First EXE payload - albertenglish.com/03/14/2014/03/13/2014/675798.mp3


NOTE: The payload is XOR-ed with the ASCII string: m3S4V

 

Second EXE palyoad - albertenglish.com/03/14/2014/03/13/2014/768087.mp3


NOTE: This payload, too, is XOR-ed with the ASCII string: m3S4V

 

First post-infection callback for another EXE - potato-bing.com/liby4/jquery/

 

Second post-infection callback for another EXE - potato-bing.com/liby4/ajax/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.