2013-08-01 - COOL EK FROM 142.0.45.29 - XWQRALQ.SERVEHTTP.COM
PCAP AND MALWARE:
- ZIP of the PCAP: 2013-07-31-Cool-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-07-31-Cool-EK-malware.zip
NOTES:
- This is an early blog entry, back when I began documenting exploit kit (EK) traffic.
- The traffic patterns match Cool EK as described by Kafeine in his writeup at: http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html
- This blog entry has been updated a to follow my current format a little better.
- See the original writeup below.
2013-08-01 - INTERESTING EXPLOIT PATTERN
I ran across a new traffic pattern from 3 drive-by exploits in the last 24 hours. 3 were hit with the same drive-by when the users were viewing a Youtube video. For example:
Original referrer: www.youtube.com - GET /watch?v=qf8TpcSuRWA&list=RD02ERjVEX5FgoI
- 2013-07-31 17:49:46 GMT - 188.120.236.219 - top.lossa.be - GET /pro/
- 2013-07-31 17:49:47 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/boundary_combine.html
- 2013-07-31 17:49:55 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.jar [java exploit]
- 2013-07-31 17:49:59 GMT - 142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.txt?f=102 [malware]
2 of the 3 machines became infected. In both of the infections, we saw the following type of callback traffic 5.104.106.79:
Here's a comparison of the three initial HTTP GET requests to the different malware delivery domains:
- akaesdk.servequake.com - GET /water/boundary_combine.html
- xqxmidc.servepics.com - GET /water/boundary_combine.html
- xwqralq.servehttp.com - GET /water/boundary_combine.html
Same thing with the Java exploits...
- akaesdk.servequake.com - GET /water/magnitude-geological.jar
- xqxmidc.servepics.com - GET /water/magnitude-geological.jar
- xwqralq.servehttp.com - GET /water/magnitude-geological.jar
It looks like top.lossa.be was the handover domain each time. Here's a few screen shots of the traffic:
188.120.236.219 - top.lossa.be - GET /pro/
142.0.45.29 - xwqralq.servehttp.com - GET /water/boundary_combine.html
142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.jar
142.0.45.29 - xwqralq.servehttp.com - GET /water/magnitude-geological.txt?f=102
Callback traffic: 5.104.106.79 - POST /index.php
SNORT EVENTS
Screenshot of Emerging Threats signature hits from Sguil on Security Onion (without ET POLICY or ET INFO events):
PRELIMINARY MALWARE ANALYSIS
JAVA EXPLOIT:
File name: 2013-07-31-Cool-EK-java-exploit.jar
File size: 18.8 KB ( 19259 bytes )
MD5 hash: b8d4d2ed6243b9d35b405ace07d59de7
Detection ratio: 25 / 54
First submission: 2013-07-31 14:59:34 UTC
VirusTotal link: https://www.virustotal.com/en/file/28b7d1b825b968a41841477b21051c6632639a8bfb337553fabbe8de5f518295/analysis/
MALWARE PAYLOAD:
File name: 2013-07-31-Cool-EK-malware-payload.exe
File size: 141.0 KB ( 144384 bytes )
MD5 hash: 461208781ae162e11aacf09442d6e6fb
Detection ratio: 49 / 53
First submission: 2013-07-31 17:56:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/81d1c304f4c13c5936cfda229419cffb104bb682ea6fe0c0d4b8a5ce42a37dcc/analysis/
FINAL NOTES
Once again, here's the PCAP of the traffic and ZIP file of the malware:
- ZIP of the PCAP: 2013-07-31-Cool-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-07-31-Cool-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.