2014-05-23 - BLACKHOLE EK FROM 109.120.173.4 - BLACK1.WHA.LA

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT CHAIN:

BLACKHOLE EK:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-23-Blackhole-EK-java-exploit.jar
File size:  16.3 KB ( 16674 bytes )
MD5 hash:  775ef64ba13b6c1ca903d7026b87b24e
Detection ratio:  23 / 53
First submission:  2012-12-31 18:49:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ff9d4a0c7d1e621d29a55b6f6a143da7c2886c1b684c7d1b4415ed17b2de59d9/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-23-Blackhole-EK-malware-payload.exe
File size:  138.5 KB ( 141840 bytes )
MD5 hash:  7aafe574af78e1081869bc36ea655f63
Detection ratio:  29 / 53
First submission:  2014-05-23 08:27:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/34e34527d90525151dfae2bdb50f5720077e3479fe7bd38bc07aecf57ffa37c9/analysis/
Malwr link:  https://malwr.com/submission/status/MmM2ZWIxOGNjY2QyNGIzYzkxZGIzYTkzZjE2ZjIxNzI/ (analysis still pending or under processing)

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

From psr.com.au (compromised website) to pornotrider.wha.la (first redirect):

 

From pornotrider.wha.la (first redirect) to ks.wha.la (second redirect):

 

From ks.wha.la (second redirect) to go.exelo.ru (third redirect):

 

From go.exelo.ru (third redirect) to kazius.wha.la (fourth redirect):

 

From kazius.wha.la (fourth redirect) to black1.wha.la (Blackhole EK):

 

Blackhole EK landing page:

 

Blackhole EK delivers Java exploit:

 

EXE payload sent after successful Java exploit:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.