2014-06-08 - INFINITY EK FROM 46.226.194.6 - ELITECAD.GR

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

INFINITY EK:

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-08-Infinity-EK-flash-exploit.swf
File size:  4.4 KB ( 4475 bytes )
MD5 hash:  ec5f5f2b85f6f133ef25d09ef6908686
Detection ratio:  1 / 50
First submission:  2014-06-08 23:27:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2179aa43de0d3fcac429e1f528412043799f94942dc941a5ffa36233c8406531/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-08-Infinity-EK-silverlight-exploit.xap
File size:  6.1 KB ( 6242 bytes )
MD5 hash:  6728d803252532e11e2a2f62b069598b
Detection ratio:  6 / 51
First submission:  2014-06-08 23:28:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/430a044651af3ef0a4cb9443bfb5e2997d5de5aa8c59915294c94fdcf073b2bf/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-08-Infinity-EK-malware-payload.exe
File size:  115.0 KB ( 117760 bytes )
MD5 hash:  431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio:  33 / 51
First submission:  2014-05-30 11:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/
Malwr link:  https://malwr.com/analysis/ODAwYWRjOTRjNDY0NGM5ZWE5YmZlOWU0MTMwMDBkZDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

SCREENSHOTS FROM THE TRAFFIC

Embedded javascript in page from compromised website:

 

Redirect pointing to Infinity EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.