2014-03-15 - STYX EK DROPS SIMDA, BITCOIN MINER, AND MORE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION BY STYX EK

POST-INFECTION SIMDA.C CHECKIN

POST-INFECTION CALLBACK FOR ADDITIONAL MALWARE

INSTALLER FOR UNWANTED PROGRAM

The unwanted program says it's a VLC player:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-15-Styx-EK-java-exploit.jpg
File size:  31.9 KB ( 32626 bytes )
MD5 hash:  1edc4279c44c874bcb3e749db7e0e885
Detection ratio:  15 / 49
First submission:  2014-02-05 12:50:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/cd467699247c15883a1e8f5ea38b27ee3f8eb03f422107b808ed89d31bd998c4/analysis/


This Java exploit has been out for about a month and a half now...

 

MALWARE PAYLOAD - SIMDA BACKDOOR

File name:  2014-03-15-Styx-EK-malware-payload.exe
File size:  892.5 KB ( 913920 bytes )
MD5 hash:  f388668fa7461565707ca2a36677fd3c
Detection ratio:  38 / 49
First submission:  2014-03-10 22:39:57 UTC
VirusTotal link: https://www.virustotal.com/en/file/6f23f03fcaebd7eb12618d160826841c03a7efed154bce1d8645ffe43ba1c5b3/analysis/
Malwr link: https://malwr.com/analysis/NDhlNGUzMTA2MGU2NDc2N2E1MzBjODMzZDE3MzYxNDg/

 

FOLLOW-UP MALWARE (1 OF 4) - ADCLICKER / QHOST

File name:  flashcl.exe
File size:  513.5 KB ( 525840 bytes )
MD5 hash:  30ad1e0db5af8e6f81da10e738d4b7b0
Detection ratio:  20 / 49
First submission:  2014-03-09 12:05:02 UTC
VirusTotal link: https://www.virustotal.com/en/file/996b88ebf3f91a665d75474db3a16169d9ebc4e8bbc096bdb452d7b3e51309e0/analysis/
Malwr link: https://malwr.com/analysis/N2NjMGQ1NmZjZWJjNDNhYzhmNmQwZmJjMzYxM2NiMTk/

 

FOLLOW-UP MALWARE (2 OF 4) - SIMDA

File name:  flashsec64.exe
File size:  256.0 KB ( 262144 bytes )
MD5 hash:  982e0df10b9f06e3baabf77fbd4524be
Detection ratio:  27 / 49
First submission:  2014-03-05 12:59:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/49eaba8ade344ea08d5b989729781a8406c8687d69f09505c2646257ba286939/analysis/
Malwr link: https://malwr.com/analysis/OWU4YTE1NzNjMWQzNDkyZjkzNGNiNzIxMDFlZTc3NGE/

 

FOLLOW-UP MALWARE (3 OF 4) - BITCOIN MINER

File name:  flashupdate64.exe
File size:  6.7 MB ( 7058432 bytes )
MD5 hash:  66f0ba29674e859221d6c142a7b99ed7
Detection ratio:  14 / 49
First submission:  2014-01-26 05:27:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/41cff4db42730a6d9b2a8c69ebc94df571c35b5983824747512f23352c9d0aae/analysis/
Malwr link: https://malwr.com/analysis/MzVjODMxYTdmMjk3NDkwMGI0ZGUzZDY0OGJkNmQyY2Q/

 

FOLLOW-UP MALWARE (4 OF 4) - UNWANTED PROGRAM - OUTBROWSE

File name:  Product2324_Distribution2399_Partner6407.exe
File size:  7ba7c951830f5b0f21c98c2a5b6d13bd
MD5 hash:  616.0 KB ( 630761 bytes )
Detection ratio:  23 / 49
First submission:  2014-02-24 14:48:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/ead2ac697f81a7ced7e13b3512f609db4cd3ec37952c1da568c80ef70ebedbfc/analysis/
Malwr link: https://malwr.com/analysis/ZjBkNzZiYWQxYzgyNDRlNWFmMTc0YzhhYTk1MDQyZmY/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

 

ADDITIONAL NOTES

Also saw TCP traffic to 54.200.248.75 port 1337 from the infected host:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.