2017-11-17 - KAIXIN EK STILL AROUND, VERY CHINESE, AND ACTING LIKE IT'S 2013

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-17-KaiXin-EK-traffic.pcap.zip   470 kB (470,272 bytes)

• 2017-11-17-KaiXin-EK-traffic.pcap   (538,517 bytes)

• 2017-11-17-KaiXin-EK-alerts.zip   3.1 kB (3,124 bytes)

• 2017-11-17-KaiXin-EK-Snort-alerts.txt   (4,949 bytes)
• 2017-11-17-KaiXin-EK-Suricata-alerts.txt   (11,508 bytes)

• 2017-11-17-KaiXin-EK-malware-and-artifacts.zip   451.7 kB (451,656 bytes)

• 2017-11-17-KaiXin-EK-OvTiFx.htm.txt   (50,706 bytes)
• 2017-11-17-KaiXin-EK-RfVvPx.htm.txt   (11,437 bytes)
• 2017-11-17-KaiXin-EK-XlGaYb.jar   (2,609 bytes)
• 2017-11-17-KaiXin-EK-jquery.js.txt   (15,728 bytes)
• 2017-11-17-KaiXin-EK-landing-page.txt   (14,709 bytes)
• 2017-11-17-KaiXin-EK-logo.swf   (23,921 bytes)
• 2017-11-17-KaiXin-EK-payload-11.7.exe   (377,344 bytes)
• 2017-11-17-KaiXin-EK-swfobject.js.txt   (12,624 bytes)

NOTES:

• Yes, KaiXin exploit kit (EK) is still around.
• Who still uses Java exploits like it's 2013?  KaiXin EK, that's who!
• Didn't get any post-infection traffic on my lab host, but you can see what the payload does in this analysis of the malware.

 

Shown above:  Borrowed and modified from @Kafeine's tweet in March 2017.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

ASSOCIATED DOMAINS:

• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/jquery.js
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/RfVvPx.html
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/OvTiFx.html
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/swfobject.js
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/logo.swf
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/XlGaYb.jar
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/com.class
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/edu.class
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/net.class
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/org.class
• 119.28.122[.]11 port 80 - playnco[.]club - GET /11.7/11.7.exe

 

FILE HASHES

KAIXIN EK JAVA EXPLOIT:

• SHA256 hash:  e80baa839d5429edbe4da98f804293bf1f587c82d5f47456946594a2b4b73012
  File size:  2,609 bytes

 

KAIXIN EK FLASH EXPLOIT:

• SHA256 hash:  21c5a5d05c2c4ec1355ed061a2689699cf8acb036cf5f6c337ca12387362e820
  File size:  23,921 bytes

 

KAIXIN EK PAYLOAD (A WINDOWS EXECUTABLE):

• SHA256 hash:  f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035
  File size:  377,344 bytes

 

IMAGES

Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 

Shown above:  Edited list of alerts using Snort 2.9.11 and the Snort subscription ruleset when playing back the same pcap.

 

Shown above:  The Windows executable sent by KaiXin EK as the malware payload.

 

FINAL NOTES

Click here to return to the main page.