2014-09-28 - NULL HOLE EK FROM 162.244.33[.]39 - POOLIE.VVK49[.]COM

NOTICE:

ASSOCIATED FILES:

 

NOTES (updated 2014-11-29):


URLs from bridepopmississippi[.]com reported to Clean MX

 


URL from bridepopmississippi[.]com reported to Scumware.org

 


Warning about bridepopmississippi[.]com from a Bing search

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NULL HOLE EK:

 

POST-INFECTION TRAFFIC (ENCRYPTED OR OTHERWISE OBFUSCATED):

 

ADDITIONAL FAILED ATTEMPTS TO INFECT A VM USING JAVA ONLY:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-28-Null-Hole-EK-flash-exploit.swf
File size:  5,250 bytes
MD5 hash:  07ca35c6a0c5b30929ad60b34ab1e8fa
Detection ratio:  1 / 55
First submission:  2014-09-28 15:00:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c641c2728a5b1e369f7f47bb776c6d20b27d613c8da9584250f78699a8a8609b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-28-Null-Hole-EK-malware-payload.exe
File size:  174,652 bytes
MD5 hash:  5469af0daa10f8acbe552cd2f1f6a6bb
Detection ratio:  10 / 55
First submission:  2014-09-27 09:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bc99299191caf52ebe70a6c7052574c35c40d28f93aa8c163073e81aad9e148/analysis/

 

DROPPED MALWARE 1 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  locolknx.exe
File size:  513,999 bytes
MD5 hash:  e685038ae761603712282500b70f80ce
Detection ratio:  11 / 54
First submission:  2014-09-28 15:01:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1aee63c95c990a2d9e425967c33ecd9f4e80e2da3b1f2b0b3f2de0d9f56ddebe/analysis/

 

DROPPED MALWARE 2 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  ncsfklmi.exe
File size:  643,072 bytes
MD5 hash:  b06f9b65d08e81196fb4b4e471a197d8
Detection ratio:  17 / 54
First submission:  2014-09-28 15:02:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/868fd9273bf899981326024e07ad32f5f7a96d39059b50346250add5d80bc69d/analysis/

 

SIGNATURE HITS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe after closing HTML tag in page from compromised website:

 

Redirect:

 

First HTTP reqeust to Null Hole EK:

 

Landing page for the EK:

 

EK send the EXE payload:

 

Example of the post-infection TCP traffic:

 

Example of the post-infection UDP traffic:

 

Click here to return to the main page.