2015-01-03 - KAIXIN EK FROM 119.147.137.128 - AS2.22WDASDA.CC

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND MALICIOUS JAVASCRIPT REQUEST:

 

KAIXIN EK:

 

POST-INFECTION TRAFFIC FROM MALWR.COM ANALYSIS:

NOTE: This analysis is for the payload from the Threatglass pcap.  It's the same file hash as my example.

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  NlNwQh.jar
File size:  6.2 KB ( 6308 bytes )
MD5 hash:  09484c33ccdf8ea852febbdaeb5c7119
Detection ratio:  9 / 46
First submission:  2015-01-03 23:41:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/203fcb435a6a4c8a92b20507ceacbde278069b218f5f3ed435ae4704381578a1/analysis/

 

MALWARE PAYLOAD:

File name:  xzz1.exe
File size:  37.5 KB ( 38400 bytes )
MD5 hash:  d652d64c99edd2c1b0a97e0128abf75c
Detection ratio:  33 / 56
First submission:  2015-01-03 00:48:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/167affb2b2d7cef7808cbf33560df5d32ade2c73ec2fdac8cd37221d9f3bf435/analysis/
Malwr link:  https://malwr.com/analysis/YjJlNzI2NTVkZGNkNGQ3NWJkMWZhZDlhOTIwNmY1NWM/

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.