2014-06-01 - INFINITY EK FROM 89.184.75.186 - APTEKA-TAS.COM.UA

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

FIRST TRY USING IE 8:

SECOND TRY USING IE 10:

MALWR.COM SANDBOX ANALYSIS OF MALWARE PAYLOAD:

MALWR.COM SANDBOX ANALYSIS OF FOLLOWUP MALWARE (EXE.EXE):

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT WHEN USING IE 8:

File name:  2014-06-01-Infinity-EK-flash-exploit-when-using-IE-8.swf
File size:  6.3 KB ( 6440 bytes )
MD5 hash:  901c12445856522789aad197df13062b
Detection ratio:  2 / 52
First submission:  2014-05-30 10:34:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e21beb0b195052a761e43e73addd51701295c1f168a9c3dbf9e0e0aa0f309b8e/analysis/

 

FLASH EXPLOIT WHEN USING IE 10:

File name:  2014-06-01-Infinity-EK-flash-exploit-when-using-IE-10.swf
File size:  6.0 KB ( 6162 bytes )
MD5 hash:  5e244579890b9171345b31f4548ad31a
Detection ratio:  1 / 53
First submission:  2014-06-01 01:38:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d309197ca4f1e3b3e4a26fa537be9806d3013d490dc1a65ab9ed0511e7b47754/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-06-01-Infinity-EK-silverlight-exploit
File size:  21.0 KB ( 21541 bytes )
MD5 hash:  5eec17841a04a21ebf6b3c98ccf33e0c
Detection ratio:  7 / 53
First submission:  2014-05-30 07:06:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b08d25b46005f2b2a4dfa5b38e57b7320203333cb3fc510929cb97f27e6810e5/analysis/


Same one used by Rig EK in my 2014-05-30 blog entry.

 

MALWARE PAYLOAD

File name:  2014-06-01-Infinity-EK-malware-payload.exe
File size:  100.0 KB ( 102408 bytes )
MD5 hash:  b8e699d7c9a0176ac1beef2ada40bc7b
Detection ratio:  1 / 52
First submission:  2014-06-01 01:36:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/296e66a339924e9fbe2f0d0848825e1f829f2eff4153f961a096102b18fb4f57/analysis/
Malwr link:  https://malwr.com/analysis/YjZjMWU0MDNjMTBlNDkwMGE1MWJkMTJkNzcxZThkMjA/

 

FOLLOW-UP MALWARE

File name:  exe.exe
File size:  176.0 KB ( 180224 bytes )
MD5 hash:  a699e652d6ca9163fef64a3bfd38c6b4
Detection ratio:  3 / 52
First submission:  2014-05-31 23:55:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cf003ee04490414f187c7591076a46952022b7e930a1345d2edfe360fba2bc9e/analysis/
Malwr link:  https://malwr.com/analysis/MGEyOGZhNGU2M2YxNDUwMDgyZTYwOTBiYjAwNTA5YTE/

NOTE: This file was saved as UpdateFlashPlayer_5ff57963.exe in the user's AppData\Local\Temp directory.

 

SNORT EVENTS

SNORT EVENTS FOR THE VM TRAFFIC (from Sguil on Security Onion)

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

SNORT EVENTS FOR THE POST-INFECTION MALWARE (using tcpreplay for sandbox pcap on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

Redirect:

 

Infinity EK landing page / CVE-2013-2551 MSIE exploit:

 

Infinity EK sent this Flash exploit when I used IE 8 and Flash 11.8.800.94:

 

Infinity EK sent this Flash exploit when I used IE 10 and Flash 12.0.0.38:

 

Here's the Silverlight exploit:

 

Infinity EK sends the EXE payload (encrypted):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.