2015-01-31 KAIXIN EK FROM 103.251.38.20:802 - EK PAYLOAD FROM 210.109.101.13 - WWW.MYRSVP.CO.KR

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND CHAIN OF EVENTS TO THE EXPLOIT KIT (EK):

 

KAIXIN EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion:

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  dou.exe
File size:  347.5 KB ( 355840 bytes )
MD5 hash:  8421f430cafac253263b3d1d93e0a3f3
Detection ratio:  23 / 57
First submission:  2015-01-31 11:09:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e1d8f92e6910731325e96d60cef07c4aecc4b094ab94c862585ece1bb1d4c27c/analysis/
Malwr link:  https://malwr.com/analysis/Y2NmZDRkZmYwZGE4NDNmMWI3ZTdhZTQxMjU4NDMxOTU/

 

JAVA EXPLOIT (SENT AFTER MALWARE PAYLOAD):

File name:  WsLzLo.jar
File size:  6.7 KB ( 6910 bytes )
MD5 hash:  bf4705cedd537bfb2a81eb397df3dbe4
Detection ratio:  12 / 57
First submission:  2015-02-01 03:19:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b0cf580821fb2fb2a7f6da64835e8542687e3fd8d069dcfbd2bfaa726d7f9b62/analysis/

 

FINAL NOTES

Once again, here's the link to the Threatglass entry:  http://threatglass.com/malicious_urls/insight-co-kr

Click here to return to the main page.