Malware-Traffic-Analysis.net - 2013-07-21

2013-07-21 - BLACKHOLE EK FROM 176.119.5.7 - DOMENICOSSOS.COM

PCAP AND MALWARE:

ZIP file of the PCAP: 2013-07-21-Blackhole-EK-traffic.pcap.zip
ZIP file of the malware: 2013-07-21-Blackhole-EK-malware.zip

NOTES:

This was an early blog entry, back when I began documenting exploit kit (EK) traffic.
The traffic is dated 2013-07-19, but I didn't post the original blog entry until 2014-07-21.
This blog entry has been updated to match my current formatting.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

91.186.20.51 - tonerkozpont.com - Compromised website
176.119.5.7 - raiwinners.org - Redirect
176.119.5.7 - domenicossos.com - Blackhole EK
various IP addresses - various domains ending with: ohtheigh.cc - Shylock C2 post-infection traffic
92.55.86.251 port 16471 - ZeroAccess post-infection traffic

COMPROMISED WEBSITE AND REDIRECT:

2014-07-19 00:45:33 UTC - 192.168.204.150:54616 - 91.186.20.51:80 - tonerkozpont.com - GET /wp-content/themes/weaver/lfl/sftxtel.html
2014-07-19 00:45:33 UTC - 192.168.204.150:54618 - 176.119.5.7:80 - raiwinners.org - GET /sword/in.cgi?2

BLACKHOLE EK:

00:45:34 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/controlling/mydb.php
00:45:36 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/shrift.php
00:45:36 UTC - 176.119.5.7:80 - domenicossos.com - GET /favicon.ico
00:45:41 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/controlling/mydb.php?lMugUQWjIXMtBPs=kOYtJQcaB&fumnLe=KFvcpHDMtxET
00:45:42 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/controlling/mydb.php?Vf=53322f312h&be=2g522j31302d57302e31&Z=2d&sZ=m&FC=l
00:45:45 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/controlling/mydb.php?Hf=53322f312h&ye=2g542d2f2h562j522j56&S=2d&fG=C&Pi=Q
00:45:46 UTC - 176.119.5.7:80 - domenicossos.com - GET /ngen/controlling/mydb.php?ff=53322f312h&le=5552532f2j562h555630&s=2d&Bf=e&Iu=M

POST-INFECTION TRAFFIC FROM THE PCAP:

2014-07-19 00:45:45 UTC - 192.168.204.150:54627 - 91.228.53.137:443 - HTTPS traffic to: ivl51exuuxu.ohtheigh.cc
2014-07-19 00:45:46 UTC - 192.168.204.150:54628 - 91.228.53.137:443 - HTTPS traffic to: ivl51exuuxu.ohtheigh.cc
2014-07-19 00:45:52 UTC - 192.168.204.150:54631 - 173.224.210.244:443 - HTTPS traffic to: u7l359jww7v2x3dp.ohtheigh.cc
2014-07-19 00:45:52 UTC - 192.168.204.150:54632 - 91.228.53.137:443 - HTTPS traffic to: ar6ehfplcr.ohtheigh.cc
2014-07-19 00:45:52 UTC - 192.168.204.150:54633 - 173.224.210.244:443 - HTTPS traffic to: yqitxnvlyjeci.ohtheigh.cc
2014-07-19 00:45:54 UTC - 192.168.204.150:54636 - 173.224.210.244:443 - HTTPS traffic to: u7l359jww7v2x3dp.ohtheigh.cc
2014-07-19 00:45:55 UTC - 192.168.204.150:54638 - 173.224.210.244:443 - HTTPS traffic to: yqitxnvlyjeci.ohtheigh.cc
2014-07-19 00:45:55 UTC - 192.168.204.150:54639 - 91.228.53.137:443 - HTTPS traffic to: ar6ehfplcr.ohtheigh.cc
2014-07-19 00:45:58 UTC - 192.168.204.150:54640 - 91.228.53.199:443 - HTTPS traffic to: 7pk7zf52f7mshkx.ohtheigh.cc
2014-07-19 00:45:58 UTC - 192.168.204.150:54641 - 91.228.53.199:443 - HTTPS traffic to: 7pk7zf52f7mshkx.ohtheigh.cc
2014-07-19 00:46:07 UTC - 192.168.204.150:54643 - 173.224.210.244:443 - HTTPS traffic to: cm34717.ohtheigh.cc
2014-07-19 00:46:07 UTC - 192.168.204.150:54644 - 91.228.53.199:443 - HTTPS traffic to: qffcg8yjlo.ohtheigh.cc
2014-07-19 00:46:07 UTC - 192.168.204.150:54645 - 173.224.210.244:443 - HTTPS traffic to: cm34717.ohtheigh.cc
2014-07-19 00:46:07 UTC - 192.168.204.150:54646 - 91.228.53.199:443 - HTTPS traffic to: qffcg8yjlo.ohtheigh.cc
2014-07-19 00:46:38 UTC - 192.168.204.150:54657 - 92.55.86.251:16471 - ZeroAccess TCP traffic
2014-07-19 00:46:38 UTC - 192.168.204.150:54658 - 92.55.86.251:16471 - ZeroAccess TCP traffic
2014-07-19 00:46:38 UTC - 192.168.204.150:54659 - 92.55.86.251:16471 - ZeroAccess TCP traffic
2014-07-19 00:46:38 UTC - 192.168.204.150:54660 - 92.55.86.251:16471 - ZeroAccess TCP traffic
2014-07-19 00:46:38 UTC - 192.168.204.150:54661 - 92.55.86.251:16471 - ZeroAccess TCP traffic
2014-07-19 00:47:49 UTC - 192.168.204.150:54692 - 173.224.210.244:443 - HTTPS traffic to: 1jskidelt2pg0238du.ohtheigh.cc
2014-07-19 00:47:49 UTC - 192.168.204.150:54693 - 173.224.210.244:443 - HTTPS traffic to: 1jskidelt2pg0238du.ohtheigh.cc

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name: 2013-07-21-Blackhole-EK-java-exploit.jar
File size: 30.6 KB ( 31339 bytes )
MD5 hash: f472177c3d4f8d76cacb20c3a092a2cc
Detection ratio: 20 / 52
First submission: 2013-07-18 23:41:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/54715c17cfdfe27e618fb467f8b9cfed6ab2e1cc438a1e7aebb9e6c1e039b066/analysis/

MALWARE PAYLOAD 1 OF 3:

File name: 2013-07-21-Blackhole-EK-malware-payload-calc.exe
File size: 340.0 KB ( 348160 bytes )
MD5 hash: 94fe26c6d39dc6d5c8f478393cada652
Detection ratio: 41 / 55
First submission: 2013-07-18 17:00:07 UTC
VirusTotal link: https://www.virustotal.com/en/file/54cc576e2acd83ed9e530184d481c5b7e3423056b81aac072c367426d7319617/analysis/

MALWARE PAYLOAD 2 OF 3:

File name: 2013-07-21-Blackhole-EK-malware-payload-info.exe
File size: 207.0 KB ( 211968 bytes )
MD5 hash: 1a495c98798cde496bc1f1bc7e7d7280
Detection ratio: 43 / 54
First submission: 2013-07-18 08:20:02 UTC
VirusTotal link: https://www.virustotal.com/en/file/ee56edd7d9aad3e98ac77f23318bb2b828d9be0075ba2a771de58de7c1587cba/analysis/

MALWARE PAYLOAD 3 OF 3:

File name: 2013-07-21-Blackhole-EK-malware-payload-readme.exe
File size: 100.5 KB ( 102912 bytes )
MD5 hash: b9a3ab785a10deaa2226afea15c392ed
Detection ratio: 40 / 53
First submission: 2013-07-12 17:30:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/43565420246215bef3f02615166e38eaec4cde9d77c59f322c99421d1693649c/analysis/