2013-08-23 - G01PACK EXPLOIT KIT SENDS RANSOMWARE

NOTICE:

ASSOCIATED FILES:

 

NOTES:

Searching through the CLEAN MX realtime database, I found a compromised site named mpraid3[.]com.  According to the whois on the domain name, noraud3[.]com was registered on 2013-08-21, only 2 days prior to this blog entry.  It was registered through DomainContext, Inc.  From what I can tell, this is a registrar based in Russia.  The domain is hosted on 192.133.137[.]142, which is registered to Serverel[.]com, a hosting provider based in Sunnyvale, California.

When we visit that website in a vulnerable Windows host, it doesn't go to a website, but redirects to some malicious code that provides a blank page.  Within a few seconds, the vulnerable Windows host is infected with "ransomware" that locks your computer with a fake notice as shown below...

 

SNORT EVENTS

Using Security Onion to monitor a vulnerable Windows computer, the following events triggered in Sguil when typing mpraid3[.]com into a web browser:

INFECTION TRAFFIC

The first HTTP GET request was to mpraid3[.]com on 192.133.137[.]142, which returned a 302 with a redirect to the malware delivery domain at kucf.3wasnev[.]info on 5.149.255[.]102.

Here are all the actors involved in this traffic:

Here's an overview of the infection traffic:

INFECTION TRAFFIC DETAILS

GET /
IP address: 192.133.137[.]142
domain name: mpraid3[.]com

Sguil events: None

Screenshot of the traffic:

 

GET /?52c4cd7199af493d987fa2366f66c99b=r9&5eec33d94eb1695a176b0322ddf07048=mpraid3[.]com
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Sguil events:

Screenshot of traffic:

 

GET /6c2c7b0be76e03a583fc65dc488fdbff/c8d54b59e486a9fc421fcd4f70f5a36e.swf
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Sguil event:

Screenshot of traffic:

 

GET /6c2c7b0be76e03a583fc65dc488fdbff/a73370ca160391ecf91ebf547b502d7a.jnlp
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Sguil events:

Screenshot of traffic:

 

GET /6c2c7b0be76e03a583fc65dc488fdbff/5ce0ac3225e2cc25264b5f827f176f51.jar
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Sguil events:

Screenshot of traffic:

 

GET /6c2c7b0be76e03a583fc65dc488fdbff/0
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Sguil event:

Screenshot of traffic:

This is an executable that's been XOR-ed with 2A (hexadecimal for the asterisk symbol "*") on each byte.  Here's what the beginning of the file looks like in a hex editor before it's decoded:
There are a few different ways to convert the file.  For example, the following Python script should do the trick, assuming the file you extract from Wireshark is named extracted-file.bin:
b = bytearray(open('extracted-file.bin', 'rb').read())
for i in range(len(b)):
    b[i] ^= 0x2A
open('output-binary.exe', 'wb').write(b)
Here's what it looks like after every byte is XOR-ed with 0x2A:

 

GET /6c2c7b0be76e03a583fc65dc488fdbff/4
IP address: 5.149.255[.]102
domain name: kucf.3wasnev[.]info

Screenshot of traffic:

This was the second executable.  In this case, each byte is XOR-ed with 0x0f.  If you review the PCAP, you'll see each malicious executable was sent twice, with a different character used to XOR each binary.

 

The following callback traffic occurred, and some more malicious files were returned.  Review the PCAP for further information on this additional traffic.

PRELIMINARY MALWARE ANALYSIS

Java exploit from 5.149.255[.]102 (kucf.3wasnev[.]info):

https://www.virustotal.com/gui/file/8c95ee3c4ba389dab0dd1d54fef00728a9bac3344df04bbf46994829478479d6

File name:  java-exploit-from-kucf.3wasnev[.]info.jar
File size:  15.9 KB ( 15,900 bytes )

First malicious executable from 5.149.255[.]102 (kucf.3wasnev[.]info):

https://www.virustotal.com/gui/file/fc01b4102926c8975de5831b470d3e2ab2b5f105a0143e33397d89d0f35060f5

File name:  first-malicious-executable-from-kucf.3wasnev[.]info.exe
File size:  186.4 KB ( 186,369 bytes )

Second malicious executable from 5.149.255[.]102 (kucf.3wasnev[.]info):

https://www.virustotal.com/gui/file/bfae1b2a7cd32bc4cc58d9779baefc5f1e3b9f6f1eca34061a53c1360025ef4f

File name:  second-malicious-executable-from-kucf.3wasnev[.]info.exe
File size:  282.6 KB ( 282,625 bytes )

 

Click here to return to the main page.