2014-03-17 - ZUPONCIC EK

ASSOCIATED FILES:

NOTES:

This is the first time I've run across Zuponcic.  Here are some good blog posts about this exploit kit and the associated malware:

As the fox-it blog post states, the malware payload is encrypted using an RC4 hash, and I was unable to decrypted the malware payload.  The fox-it blog post also states if Java is disabled on the browser, the EK sends an archive for you to download.  When I tried this, I was sent a 1.2 MB JAR file by the EK, which I've included in the ZIP file of today's malware.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  SnaorNJ.jar
File size:  5.5 KB ( 5626 bytes )
MD5 hash:  f9185a43f34132752fd16e4470c0a6b4
Detection ratio:  12 / 50
First submission:  2014-03-17 05:04:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/67fd420d33936733816bcb38926da3edef8996f2011807b206c3e23d55f168c5/analysis/

 

ONE OF THE PIECES OF MALWARE DROPPED AFTER THE EXPLOIT

File name:  odbcconfr.exe
File size:  242.5 KB ( 248320 bytes )
MD5 hash:  c3cd820083d508131eec3697d941a5fa
Detection ratio:  36 / 50
First submission:  2014-03-17 03:38:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35b1f5f0969d9d2ad7e96c2e80752fea19b4319129362d983d061f346dcee01b/analysis/
Malwr link:  https://malwr.com/analysis/YTlmNWRkYzY3NWUxNDE4NmE4MTU1M2NmZjBmMTk1Y2I/

Associated registry key for this malware:

 

ARCHIVE SENT FROM ZUPONCIC EK DOMAIN WHEN JAVA WAS DISABLED ON THE BROWSER

File name:  microsoft_silvergrey_www.jar
File size:  1.2 MB ( 1274879 bytes )
MD5 hash:  1c8d8765fa6908c2da297110c2d0bdb3
Detection ratio:  6 / 50
First submission:  2014-03-17 05:31:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cf16a8a61ca1b1eb7bc87c5aac00e3ea8f0a2d32828c818a7e6a2a0f72b60409/analysis/
Malwr link:  https://malwr.com/analysis/NjFkODNkMzM1NmUyNGY4Zjg4OGViN2IzYmJhNmZlMjQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect when reaching the server from a Bing search (probably an .htaccess style redirect) - www.silvergrey.es

 

Second redirect - ambalanchery.drdekloet.com/delivery/lg.php?bannerid=23350&campaignid=4402&zoneid=272&
channel_ids=,&loc=http%3A%2F%2Fwww.silvergrey.es%2F&referer=http%3A%2F%2Fwww.silvergrey.es%2F&cb=bcaeb92e71

 

Zuponcic EK landing page - ga.instylecuts.net/

 

Zuponcic EK delivers Java exploit - ga.instylecuts.net/SnaorNJ.jar

 

Malware payload retrieved (encrypted with RC4 hash) - ga.instylecuts.net/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.