2013-07-21 - BLACKHOLE EXPLOIT KIT FROM 176.119.5[.]7 - DOMENICOSSOS[.]COM

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

BLACKHOLE EK:

 

POST-INFECTION TRAFFIC FROM THE PCAP:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-21-Blackhole-EK-java-exploit.jar
File size:  31.3 KB ( 31,339 bytes )
First submission:  2013-07-18 23:41:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54715c17cfdfe27e618fb467f8b9cfed6ab2e1cc438a1e7aebb9e6c1e039b066/analysis/

 

MALWARE PAYLOAD 1 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-calc.exe
File size:  348.2 KB ( 348,160 bytes )
First submission:  2013-07-18 17:00:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54cc576e2acd83ed9e530184d481c5b7e3423056b81aac072c367426d7319617/analysis/

 

MALWARE PAYLOAD 2 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-info.exe
File size:  212.0 KB ( 211,968 bytes )
First submission:  2013-07-18 08:20:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee56edd7d9aad3e98ac77f23318bb2b828d9be0075ba2a771de58de7c1587cba/analysis/

 

MALWARE PAYLOAD 3 OF 3:

File name:  2013-07-21-Blackhole-EK-malware-payload-readme.exe
File size:  102.9 KB ( 102,912 bytes )
First submission:  2013-07-12 17:30:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/43565420246215bef3f02615166e38eaec4cde9d77c59f322c99421d1693649c/analysis/

 

SIGNATURE HITS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website (link from a spam email):

 

Sutra TDS redirect:

 

Blackhole EK landing page:

 

Blackhole EK sends java exploit:

 

Blackhole EK sends 3 different malware payloads:

 

Click here to return to the main page.