2014-11-30 - GONDAD (GONG DA) EK FROM 211.171.231.194 - WWW.HWASHINSHOP.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

GONDAD (GONG DA) EK:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata:

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-11-30-Gondad-EK-java-exploit.jar
File size:  6.2 KB ( 6309 bytes )
MD5 hash:  6c6ed249ebf6bc032c4b0157352052a3
Detection ratio:  12 / 56
First submission:  2014-11-30 04:25:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0162b9c915cd3e25e213dcc07824ac614ac8c566a55723e3bfaf8803c1526ad1/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-30-Gondad-EK-malware-payload.exe
File size:  154.5 KB ( 158208 bytes )
MD5 hash:  2f6d68c7097a21a98df079dc61a403ec
Detection ratio:  30 / 56
First submission:  2014-11-28 10:22:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/314b5026a2a50f9aa0ad7fdde1789edb76534cb65d247f738a78db9d580cd3f3/analysis/

 

SCREENSHOTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

Redirect:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.