2014-07-09 - ZUPONCIC EK FROM 178.33.152.221 - MZ.WATCHWEEDSEPISODES.NET

ASSOCIATED FILES:

 

NOTES:

This is the second time I've run across Zuponcic.  I first saw it on 2014-03-17.  Here are some good blog posts about this exploit kit and the associated malware:

The Fox-IT article states, "When a victim does not have Java enabled or the browser used is not Internet Explorer, a ZIP file is presented."  I originally discovered this infection chain while investigating a ZIP file delivered by Zuponcic on 2014-07-07.

When I tried Zuponcic with Java 7 update 13, the exploit kit didn't send a Java exploit or a ZIP file--instead, it asked me to download an 839 KB JAR file.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

EXAMPLE 1 - ZUPONCIC EK USES JAVA EXPLOIT:

 

EXAMPLE 2 - ZUPONCIC EK SENDS 839 KB JAVA ARCHIVE:

 

PRELIMINARY MALWARE ANALYSIS

EXAMPLE 1 - JAVA EXPLOIT:

File name:  2014-07-09-Zuponcic-EK-java-exploit.jar
File size:  4.7 KB ( 4819 bytes )
MD5 hash:  c7e28d226100c06bfd346d0989658a0b
Detection ratio:  18 / 54
First submission:  2014-05-22 15:20:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/16ab78dc36741b80c3e386b0993909dacce4768f06415cd8364b993585feb66b/analysis/

 

EXAMPLE 1 - MALWARE PAYLOAD:

File name:  2014-07-09-Zuponcic-EK-malware-payload.exe
File size:  835.1 KB ( 855172 bytes )
MD5 hash:  b528871bc1e3ca5a9c9ec7037df0dcfb
Detection ratio:  17 / 54
First submission:  2014-07-09 05:58:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5913ce93f79398bba58ef7c884acc4ced43ee4d28c028b4657775f7764c26c37/analysis/
Malwr link:  https://malwr.com/analysis/NGY3N2Y4ZTIxNWNlNGM3OTg4MjdjYzExMWU3NWIxM2Y/

 

EXAMPLE 2 - ARCHIVE SENT WHEN JAVA WAS NOT VULNERABLE:

File name:  accelerator_tool_.jar
File size:  838.7 KB ( 858838 bytes )
MD5 hash:  181c5347a02f805e8bf8f561340bb325
Detection ratio:  5 / 54
First submission:  2014-07-09 06:48:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dd323b8ecb348df8f89c62fd1288130151bb0e630d8da9445737de00f4f33d52/analysis/

 

Below is the ZIP file from Zuponcic I originally investigated - sent on 2014-07-07 at 21:17 UTC from 178.33.152.221 - so.watchweedsepisodes.net:

 

ZIP file:  video__tool.zip   -   MD5 hash: cb0e736622f2e3cc7eda6797f5479669   -   584.3 KB ( 598325 bytes )
VirusTotal link:  https://www.virustotal.com/en/file/0f8fc6b69bba014f6afef7712f87fd1fd9ca2d578a5b13e7be1941a317167f06/analysis/

 

Extracted file:  video__tool.exe   -   MD5 hash: 91a55427a929b49e9295243008c9522a   -   974.4 KB ( 997744 bytes )
VirusTotal link:  https://www.virustotal.com/en/file/51bd10fe9c08fe3d9bb5e6754f2bea5c31d1dd3cb666b1cb2c68ed9fb1a87585/analysis/
Malwr link:  https://malwr.com/analysis/OWFiN2Q0Y2I3N2JhNDM1N2I2MjEwZjk1ZDA1N2Q4YjE/

 

SNORT EVENTS (EXAMPLE 1)

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

NOTE: These Snort evenets were taken from Sguil on Security Onion.  This list does not include ET INFO or ET POLICY rules.

 

HIGHLIGHTS FROM THE TRAFFIC

Example 1 - Going to the compromised website from a Google search returns a 302 redirect:

 

Example 1 - Redirect points to the Zuponcic EK landing page:

 

Example 1 - Zuponcic EK delivers Java exploit:

 

Example 1 - Encrypted EXE payload sent after successful Java exploit:

 

Example 2 - Zuponcic EK sent a Java archive to download when I used a VM running Java 7 update 13:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.