2014-03-19 - GOON/INFINITY EK SENDS FLASH FOR IE 10 EXPLOIT CVE-2014-0322

ASSOCIATED FILES:

NOTES:

UPDATE 1:

UDPATE 2:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION

POST-INFECTION TRAFFIC

Also saw spam sent over SMTP before I disconnected the VM (not included in the PCAP).

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-03-19-Goon-EK-flash-exploit.swf
File size:  6.7 KB ( 6894 bytes )
MD5 hash:  1747f6549b3afbf35a40af2f148a3ca1
Detection ratio:  1 / 51
First submission:  2014-03-19 21:06:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/12960cb98657b59fc3f00d30abe4c66519cce72a98f2934c144adad3c0c48def/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-19-Goon-EK-malware-payload.exe
File size:  38.0 KB ( 38928 bytes )
MD5 hash:  ca1572087612e64cf0e963c708695ce8
Detection ratio:  7 / 51
First submission:  2014-03-19 23:31:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4663527278372e68faa7e58f2a87f64638059623b3c1c4529ad6c7ca79447bc2/analysis/
Malwr link:  https://malwr.com/analysis/OTNkZGVlZGFlODE0NDdiZWFiNTI1ZmMyMmI5ZTMzZjg/

 

FIRST POST-INFECTION MALWARE RETRIEVED

File name:  2014-03-19-Goon-EK-post-infection-malware-01.exe
File size:  824.5 KB ( 844304 bytes )
MD5 hash:  961b4a65d0047721f314ba7aa2d8ad6c
Detection ratio:  12 / 51
First submission:  2014-03-19 23:34:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/30b3f28c641bf0b55d9eced25bedd95c7ff6d261021bbe72887c3a5fab95c426/analysis/
Malwr link:  https://malwr.com/analysis/MDIwMWNkYzUxNzk1NDE1NThiZTJiYmFkNWI0NDA5ZmM/

 

SECOND POST-INFECTION MALWARE RETRIEVED

File name:  2014-03-19-Goon-EK-post-infection-malware-02.exe
File size:  958.0 KB ( 980992 bytes )
MD5 hash:  4cfa4ef5c4b23cbc6a2719d2f9887124
Detection ratio:  11 / 51
First submission:  2014-03-19 20:02:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4f6c38cbbf2f827a26600f760bf52d49d84ee688d304d0c2ceea4187dcf40c4d/analysis/
Malwr link:  https://malwr.com/analysis/ODAyZGE0NTY5NGUzNGE3M2E5YmUyOGQ1MjAxMDlhZDg/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

NOTE: Except for the first event noting an outdated version of Flash, no snort events were noted during the initial infection.

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect associated with Goon/Infinity EK - dh5ltx.cotabuvileh.net/zyso.cgi?16

 

Goon/Infinity EK landing page - a-inversiones.com/editor/txt/wrapper.aspx?stat_pid=0

Later in the HTML, the underlined portions below show the possibility of Java or Silverlight exploits:

 

Goon/Infinity EK sends Java exploit - a-inversiones.com/swf.swf

 

Malware payload is downloaded from Goon/Infinity EK domain - a-inversiones.com/5758.mp3?rnd=37755

 

Second malware payload is downloaded from Goon/Infinity EK domain - a-inversiones.com/5758.mp3?rnd=68260


I can't decode this, and I couldn't find the decoded file anywhere on the VM.

 

More malware retrieved after the initial infection

 

Post infection callback with different user agent strings.

 

One of the spam emails sent by the infected VM.  The URL in the message didn't work when I tried viewing it.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.