2014-12-13 - GONDAD (GONG DA) EK FROM 211.202.2.110 - COMM.SANSUNG.ORG

ASSOCIATED FILES:

 

MY BLOG ENTRIES ON GONDAD EK SO FAR:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECTS:

 

GONDAD (GONG DA) EK:

 

TRAFFIC FROM ANALYSIS OF THE MALWARE PAYLOAD:

 

SNORT EVENTS ON THE VM INFECTION

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata:

Sourcefire VRT ruleset using Snort 2.9.7.0 on Debian 7.6:

 

SNORT EVENTS FROM ANALYSIS OF THE MALWARE PAYLOAD

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  AyVpSf.jar
File size:  6.2 KB ( 6301 bytes )
MD5 hash:  9230fc1a6664a3fa617b09b7fd84ff1a
Detection ratio:  18 / 56
First submission:  2014-12-14 01:12:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/79b27e306d3ad3b3d4bda511a888fb0909dd20ec47c8b2648d212aadd2a89bae/analysis/

 

MALWARE PAYLOAD:

File name:  windos.exe
File size:  141.5 KB ( 144896 bytes )
MD5 hash:  818396cdd23ee4c41b167dee2da6d90c
Detection ratio:  7 / 56
First submission:  2014-12-14 01:13:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/26e2cae1a48e83c324ca700effe87292dec2681b3c2104990c30c20cd28635ef/analysis/
Malwr link:  https://malwr.com/analysis/ZjVlNjQ3Mjc3ZDg1NGMzYjk0YjZlYTQ3Y2IwNTliZDk/

 

SOME SCREENSHOTS FROM THE TRAFFIC

Malicious iframe in page from the compromised website:

 

First redirect points to second redirect:

 

Second redirect points to Gondad EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.