[ OVERVIEW ]     [ PART 2 OF 3 ]

2014-03-23 - BLACKHOLE EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-23-blackhole-EK-java-exploit.jar
File size:  16.3 KB ( 16674 bytes )
MD5 hash:  775ef64ba13b6c1ca903d7026b87b24e
Detection ratio:  21 / 51
First submission:  2012-12-31 18:49:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ff9d4a0c7d1e621d29a55b6f6a143da7c2886c1b684c7d1b4415ed17b2de59d9/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-23-blackhole-EK-malware-payload.exe
File size:  79.2 KB ( 81122 bytes )
MD5 hash:  e907478f899db6a09dd2a55f1278e570
Detection ratio:  12 / 51
First submission:  2014-03-23 17:18:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5533218aad26e9f982a96736b63a6e49b0290e08248fe9784ff799c9b43cfa8/analysis/
Malwr link:  https://malwr.com/analysis/YTM2NzEwZjQ4MDQ1NDI5NjhkODJmZWUzZDVkNWQ4YjA/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in web page from compromised server - iskariot.ru/

 

Redirect - 123ads.wha.la/zxzzzzzdddff/?id=mx

 

Blackhole EK landing page - bh4545.wha.la/still/routine/preferred-onto_pain_considers.php

 

Blackhole EK delivers Java exploit -
bh4545.wha.la/still/routine/preferred-onto_pain_considers.php?phfr=bpxrrfz&xhsmntb=okbwha

 

Java exploit delivers EXE payload -
bh4545.wha.la/still/routine/preferred-onto_pain_considers.php?xf=1m:1m:30:33:31&ne=1f:30:1h:31:1i:31:2w:33:1f:1o&q=1f&ef=p&pg=y

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.