2014-09-28 - NULL HOLE EK FROM 162.244.33.39 - POOLIE.VVK49.COM

ASSOCIATED FILES:

 

NOTES (updated 2014-11-29):


URLs from bridepopmississippi.com reported to Clean MX

 


URL from bridepopmississippi.com reported to Scumware.org

 


Warning about bridepopmississippi.com from a Bing search

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NULL HOLE EK:

 

POST-INFECTION TRAFFIC (ENCRYPTED OR OTHERWISE OBFUSCATED):

 

ADDITIONAL FAILED ATTEMPTS TO INFECT A VM USING JAVA ONLY:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-28-Null-Hole-EK-flash-exploit.swf
File size:  5.1 KB ( 5250 bytes )
MD5 hash:  07ca35c6a0c5b30929ad60b34ab1e8fa
Detection ratio:  1 / 55
First submission:  2014-09-28 15:00:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c641c2728a5b1e369f7f47bb776c6d20b27d613c8da9584250f78699a8a8609b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-28-Null-Hole-EK-malware-payload.exe
File size:  170.6 KB ( 174652 bytes )
MD5 hash:  5469af0daa10f8acbe552cd2f1f6a6bb
Detection ratio:  10 / 55
First submission:  2014-09-27 09:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bc99299191caf52ebe70a6c7052574c35c40d28f93aa8c163073e81aad9e148/analysis/

 

DROPPED MALWARE 1 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  locolknx.exe
File size:  502.0 KB ( 513999 bytes )
MD5 hash:  e685038ae761603712282500b70f80ce
Detection ratio:  11 / 54
First submission:  2014-09-28 15:01:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1aee63c95c990a2d9e425967c33ecd9f4e80e2da3b1f2b0b3f2de0d9f56ddebe/analysis/

 

DROPPED MALWARE 2 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  ncsfklmi.exe
File size:  628.0 KB ( 643072 bytes )
MD5 hash:  b06f9b65d08e81196fb4b4e471a197d8
Detection ratio:  17 / 54
First submission:  2014-09-28 15:02:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/868fd9273bf899981326024e07ad32f5f7a96d39059b50346250add5d80bc69d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe after closing HTML tag in page from compromised website:

 

Redirect:

 

First HTTP reqeust to Null Hole EK:

 

Landing page for the EK:

 

EK send the EXE payload:

 

Example of the post-infection TCP traffic:

 

Example of the post-infection UDP traffic:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.