2014-04-02 - GOON/INFINITY EK PAYLOAD GENERATES TRAFFIC TO ONEDRIVE.LIVE.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE:

JAVA ON COMRPOMISED WEBSITE WITH LINKS TO REDEIRCT DOMAIN

QUERIES TO THE REDIRECT DOMAIN:

GOON/INFINITY EK TRAFFIC:

QUERIES FOR MORE MALWARE FROM ONEDRIVE.LIVE.COM:

ONEDRIVE-RELATED HTTPS TRAFFIC (Wireshark filter: ssl.handshake.extensions_server_name):

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-04-02-Goon-EK-java-exploit.jar
File size:  9.7 KB ( 9974 bytes )
MD5 hash:  7c88c701526620e7ae8f8d5f224431e9
Detection ratio:  4 / 51
First submission:  2014-04-01 19:06:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f88f2be18785cff09f7582ae4feec4496f0ef33f9ee22636f8604982d17ceedc/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-02-Goon-EK-malware-payload.exe
File size:  63.8 KB ( 65341 bytes )
MD5 hash:  f3f60b9161f2ff3367ab987a45ccad44
Detection ratio:  2 / 51
First submission:  2014-04-02 04:28:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/937917d54e6f82b1a51419f27ed04cf88615b2e07fbb72b0ffed2921f981b307/analysis/
Malwr link:  https://malwr.com/analysis/YzgwN2I0YWM1ODc1NGVjOThmNzVkMmY5ZjRkNTg1MTQ/

 

OTHER MALWARE OR MALWARE-RELATED EXE FILES FOUND ON THE INFECTED HOST:

File name:  5502.tmp.exe   ( MD5: 41e4c076351ca25b830b663a5f406521 )
VirusTotal link:  https://www.virustotal.com/en/file/2e21a4f54931e1e96a68f2b21175551c938e31268d335f168f8023a1a0e8b95e/analysis/
Malwr link:  https://malwr.com/analysis/ZmFlZTA5MTc1NGU3NGZlMzlkNDU4MDU4M2E1NjEzNGI/

File name:  ankaretuz.exe   ( MD5: a83c829c82e4466b606a14287e1ce0dd )
VirusTotal link:  https://www.virustotal.com/en/file/7e33bbb4270ef3562ab7374e30993ed66c01547f18fd0d7425f1cc5a2bfac290/analysis/
Malwr link:  https://malwr.com/analysis/NDA0NGU0OWIyYjgwNDI0Mjk4YzExNzk5Y2YxYmFhNTY/

File name:  barutenks.exe   ( MD5: bc3ef48f188df7249a80b70f722a712d )
VirusTotal link:  https://www.virustotal.com/en/file/b92819a34c41d732ab91a39dbae0da6b475ebb23e96c23b56adb99388afd5f66/analysis/
Malwr link:  https://malwr.com/analysis/NWJiOWMwNzNmY2M2NGQ2YTk5ZmEzYmE4YTY5NGU5ZmY/

File name:  GoogleUpdate.exe   ( MD5: a68224457dd43d18e40e02262d4a9398 )
VirusTotal link:  https://www.virustotal.com/en/file/5bc5845586e11b41457dd0fa02e4d347c6bdc11325e60db3896ea6fa86287a76/analysis/
Malwr link:  https://malwr.com/analysis/NmNmMmQzNDQyZDYwNDZmYTljNGY4MDAxOGQ2YTAwOTc/

File name:  hinnerneks.exe   ( MD5: 2ae0934370ac1e8ff118726892a3c6e3 )
VirusTotal link:  https://www.virustotal.com/en/file/f1049ee74c471a37a62f6fab98388e26f2c118876c7d1f4d381a4754f181b974/analysis/
Malwr link:  https://malwr.com/analysis/YjMyOWRiODQxNWVhNDczY2FjYzVkMTI4YWM2YjUyMmM/

File name:  update.exe   ( MD5: 0ab04d1584c174fe5be7f41135a307f6 )
VirusTotal link:  https://www.virustotal.com/en/file/185a833d3e8740435df7a7b09c573551fbbbac142da0f17bd1ea24de5b4ad426/analysis/
Malwr link:  https://malwr.com/analysis/ZDQyZWIzOWFiNGY1NDgxN2E4ZDU4NmUxOWFjZDFhOTI/

 

SNORT EVENTS

SNORT EVENTS FROM THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious Javascript from infected web sever:

 

Redirect:

 

Goon/Infinity EK delivers IE exploit CVE-2013-2551:

 

IE exploit CVE-2013-2551 delivers EXE payload:

 

HTTPS traffic to Microsoft OneDrive-related IP addresses:

 

Other malware found in the user's AppData\Local\Temp and AppData\Roaming directories:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.