2013-08-01 - COOL EK FROM 142.0.45.29 - XWQRALQ.SERVEHTTP.COM

PCAP AND MALWARE:

• ZIP of the PCAP:  2013-07-31-Cool-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-07-31-Cool-EK-malware.zip

 

NOTES:

• This is an early blog entry, back when I began documenting exploit kit (EK) traffic.
• The traffic patterns match Cool EK as described by Kafeine in his writeup at: http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html
• This blog entry has been updated a to follow my current format a little better.
• See the original writeup below.

 

2013-08-01 - INTERESTING EXPLOIT PATTERN

I ran across a new traffic pattern from 3 drive-by exploits in the last 24 hours.  3 were hit with the same drive-by when the users were viewing a Youtube video.  For example:

Original referrer: www.youtube.com - GET /watch?v=qf8TpcSuRWA&list=RD02ERjVEX5FgoI

• 2013-07-31 17:49:46 GMT - 188.120.236.219 - top.lossa.be - GET /pro/
• 2013-07-31 17:49:47 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/boundary_combine.html
• 2013-07-31 17:49:55 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.jar    [java exploit]
• 2013-07-31 17:49:59 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.txt?f=102    [malware]

2 of the 3 machines became infected.  In both of the infections, we saw the following type of callback traffic 5.104.106.79:

Here's a comparison of the three initial HTTP GET requests to the different malware delivery domains:

• akaesdk.servequake.com - GET /water/boundary_combine.html
• xqxmidc.servepics.com - GET /water/boundary_combine.html
• xwqralq.servehttp.com - GET /water/boundary_combine.html

Same thing with the Java exploits...

• akaesdk.servequake.com - GET /water/magnitude-geological.jar
• xqxmidc.servepics.com - GET /water/magnitude-geological.jar
• xwqralq.servehttp.com - GET /water/magnitude-geological.jar

It looks like top.lossa.be was the handover domain each time.  Here's a few screen shots of the traffic:

188.120.236.219 - top.lossa.be - GET /pro/

142.0.45.29 - xwqralq.servehttp.com - GET /water/boundary_combine.html

142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.jar

142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.txt?f=102

Callback traffic: 5.104.106.79 - POST /index.php

 

SNORT EVENTS

Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT:

File name:  2013-07-31-Cool-EK-java-exploit.jar
File size:  18.8 KB ( 19259 bytes )
MD5 hash:  b8d4d2ed6243b9d35b405ace07d59de7
Detection ratio:  25 / 54
First submission:  2013-07-31 14:59:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/28b7d1b825b968a41841477b21051c6632639a8bfb337553fabbe8de5f518295/analysis/

 

MALWARE PAYLOAD:

File name:  2013-07-31-Cool-EK-malware-payload.exe
File size:  141.0 KB ( 144384 bytes )
MD5 hash:  461208781ae162e11aacf09442d6e6fb
Detection ratio:  49 / 53
First submission:  2013-07-31 17:56:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81d1c304f4c13c5936cfda229419cffb104bb682ea6fe0c0d4b8a5ce42a37dcc/analysis/

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

• ZIP of the PCAP:  2013-07-31-Cool-EK-traffic.pcap.zip
• ZIP file of the malware:  2013-07-31-Cool-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.