2014-06-04 - INFINITY EK FROM 173.236.152.199 - BCREATIVEWORKS.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

INFINITY EK:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-06-04-Infinity-EK-flash-exploit-ie8.swf
File size:  6.5 KB ( 6672 bytes )
MD5 hash:  7460394d9a4feaebef0cbb41f62a452b
Detection ratio:  3 / 51
First submission:  2014-06-03 14:16:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81973f82918199070c9208cdcfc416c481162e0d0e832e483aeb1245f2d624d5/analysis/

File name:  2014-06-04-Infinity-EK-flash-exploit-ie10.swf
File size:  6.0 KB ( 6186 bytes )
MD5 hash:  8b0e41535554df698506fbd09bc6366e
Detection ratio:  1 / 51
First submission:  2014-06-04 08:08:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e3ea4b6c7c31de2e80082e817dc477ac078e74005ac393a32c100916c3ee5b86/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-04-Infinity-EK-silverlight-exploit.xap
File size:  15.1 KB ( 15419 bytes )
MD5 hash:  933449d7357efaf47641ca505615a78d
Detection ratio:  2 / 51
First submission:  2014-05-31 16:15:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fbd1bc67d84c8179e78ece6bf65035ad1dede3f646704432f5c6489b139cb130/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-04-Infinity-EK-malware-payload.exe
File size:  115.0 KB ( 117760 bytes )
MD5 hash:  431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio:  33 / 51
First submission:  2014-05-30 11:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/
Malwr link:  https://malwr.com/analysis/ODAwYWRjOTRjNDY0NGM5ZWE5YmZlOWU0MTMwMDBkZDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Infinity EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.