[ PART 2 OF 3 ]     [ OVERVIEW ]

2014-03-23 - GOON/INFINITY EK USING FLASH FOR IE 10 EXPLOIT CVE-2014-0322

ASSOCIATED FILES:

NOTES:

UPDATE:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

NOTE: The browser froze, and it restarted.  When it refreshed, the same redirect URL generated traffic to a different Goon/Infinity EK domain.

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

DIFFERENT GOON/INFINITY EK TRAFFIC AFTER THE BROWSER CRASHED AND RESTARTED

 

PRELIMINARY MALWARE ANALYSIS

FIRST FLASH EXPLOIT

File name:  2014-03-23-Goon-EK-flash-exploit-01.swf
File size:  5.6 KB ( 5735 bytes )
MD5 hash:  e8693573caecf1cab91aa578e1d62ab0
Detection ratio:  0 / 51
First submission:  2014-03-22 22:13:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/eb78a061d7a0227c54320cfe5723ca7af80df1ebbcaaf4985c0574c92ee9ab1b/analysis/

 

SECOND FLASH EXPLOIT

File name:  2014-03-23-Goon-EK-flash-exploit-02.swf
File size:  5.8 KB ( 5964 bytes )
MD5 hash:  28d53f17757876c5aa42f7bdd7ee798a
Detection ratio:  0 / 51
First submission:  2014-03-21 15:12:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c0f345269d356a41c98d3287e0777cb813cefbf21129baf9cb9b25cc48148c1a/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-23-Goon-EK-malware-payload.exe
File size:  154.4 KB ( 158056 bytes )
MD5 hash:  bbc5f86cb2a3c6931373977bb4edd113
Detection ratio:  2 / 49
First submission:  2014-03-23 23:06:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/502662941b42d0cc41ccb156c6fcbf275a8aa28d069bb70f0c80d402999fd18b/analysis/
Malwr link:  https://malwr.com/analysis/NDU5ODdlMjc4YzM1NDhiNmFlNTUzNTU2YTYwNDBkYmE/

 

SILVERLIGHT EXPLOIT ALSO SEEN IN THE TRAFFIC

File name:  2014-03-23-Goon-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5265 bytes )
MD5 hash:  eb74945c840dfd74a171639f379777aa
Detection ratio:  7 / 51
First submission:  2014-03-19 15:32:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bed60e3715e542881d5e80784bdcbb4945a6a8375a63cbde6436a2782593a87c/analysis/


NOTE: This exploit was also seen in Fiesta EK traffic on 2014-03-22

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Goon/Infinity EK-associated redirect - nhpz.lalaghoaujrnu.info/zyso.cgi?18

 

>Goon/Infinity EK delivers first Flash exploit - merayaar.com/swf.swf

 

Goon/Infinity EK delivers second Flash exploit - merayaar.com/272.swf

 

Flash exploit delivers EXE payload - merayaar.com/2032.mp3?rnd=25192

 

Silverlight exploit also seen in the Goon/Infinity EK traffic - merayaar.com/2649.xap

 

Malweare callback traffic seen - receiveoffset.cc/common/man.php


NOTE: Saw this same callback traffic from malware deliverd by Angler EK in my previous blog entry.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.