Malware-Traffic-Analysis.net - A malware traffic analysis blog

2013-09-28 - ADS FROM DELIVERY.GLOBALCDNNODE.COM LEAD TO BLACKHOLE EK

PCAP AND MALWARE:

ZIP of the PCAP: 2013-09-28-Blackhole-EK-traffic.pcap.zip
ZIP file of the malware: 2013-09-28-Blackhole-EK-malware.zip

NOTES:

Starting on Sunday, 22 Sep 2013, I've seen several blackhole-style Snort events at work with the same URL from delivery.globalcdnnode.com. Here's an example:

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://www.santabanta.com/jokes/universal-jokes/?page=9
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: delivery.globalcdnnode.com
Connection: Keep-Alive

DETAILS

These have all been the result of ad traffic. In the example above, the HTTP GET request to delivery.globalcdnnode.com actually came from ad.turn.com as shown in the image below:

Based on what I've seen from my other investigations, there may have been some ad-related domains in this chain of events after the original referer of www.santabanta.com before it got to the HTTP GET request to ad.turn.com

Here's what I've seen for the same URL at delivery.globalcdnnode.com/7f01baa99716452bda5bba0572c58be9/afr-zone.php

2013-09-22 15:04 GMT - Original referer: www.ndtv.com
2013-09-23 07:59 GMT - Original referer: eenadu.net/news/newsitem.aspx?item=politics&no=1
2013-09-23 11:37 GMT - Original referer: slashdot.org/?source=autorefresh
2013-09-23 18:48 GMT - Original referer: imgur.com/gallery/A85PxGv
2013-09-24 02:36 GMT - Original referer: www.wowhead.com/skill=165
2013-09-25 17:38 GMT - Original referer: www.santabanta.com/jokes/universal-jokes/?page=9
2013-09-27 06:42 GMT - Original referer: googleads.g.doubleclick.net/pagead/ads?[long string of characters]

In each case, delivery.globalcdnnode.com has resolved to a different IP address:

2013-09-22 15:04 GMT - delivery.globalcdnnode.com at: 184.168.31.24
2013-09-23 07:59 GMT - delivery.globalcdnnode.com at: 174.37.224.248
2013-09-23 11:37 GMT - delivery.globalcdnnode.com at: 64.15.147.211
2013-09-23 18:48 GMT - delivery.globalcdnnode.com at: 69.20.86.232
2013-09-24 02:36 GMT - delivery.globalcdnnode.com at: 208.43.248.29
2013-09-25 17:38 GMT - delivery.globalcdnnode.com at: 69.64.74.102
2013-09-27 06:42 GMT - delivery.golbalcdnnode.com at: 174.36.216.226

Interestingly enough, the domain was registered as of 2013-09-22, which is the date we first started seeing blackhole-type events from this domain at work. Here's some of the whois information for the domain globalcdnnode.com :

Registrant's name: Alexey Prokopenko
Organization: home
City: Ubileine
Country: Ukraine
Email: Alex1978a@bigmir.net
Created: 2013-09-22 11:30:05
Updated: 2013-09-22
Expires: 2014-09-22

Lets fire up a vulnerable Windows host and see what Security Onion finds on it when we visit the URL. In this case it's ransomware (from the Nymaim family based on one of the Snort events). If you try this on your own, your results may vary. Links to the malware and a PCAP of this particular infection are in the "Final Notes" section at the end of this blog entry.

Ah, this particular scam again...

SNORT EVENTS

The following events were triggered on a bare metal Windows 7 64-bit SP 1 install with Java 6 update 25 and Adobe Reader 10.0.0 being monitored by a default configuration of Security Onion:

00:36:47 GMT - 192.168.1.106 port 49158 - 66.84.17.101 port 80 - ET CURRENT_EVENTS Possible BHEK Landing URI Format
00:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
00:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct
00:36:56 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49160 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
00:36:56 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49160 - ET INFO JAVA - Java Archive Download By Vulnerable Client
00:36:57 GMT - 192.168.1.106 port 49161 - 66.84.17.101 port 80 - ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET POLICY PE EXE or DLL Windows file download
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO EXE - Served Attached HTTP
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO Packed Executable Download
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET POLICY Java EXE Downloal
00:36:57 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
00:36:58 GMT - 66.84.17.101 port 80 - 192.168.1.106 port 49161 - ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET TROJAN Fareit/Pony Downloader Checkin 3
00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
00:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
00:37:10 GMT - 74.204.171.69 port 80 - 192.168.1.106 port 49162 - ET POLICY PE EXE or DLL Windows file download
00:37:10 GMT - 74.204.171.69 port 80 - 192.168.1.106 port 49162 - ET INFO Packed Executable Download
00:37:16 GMT - 192.168.1.106 port 49164 - 69.88.46.245 port 80 - PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
00:40:10 GMT - 192.168.1.106 port 49174 - 125.20.14.222 port 80 - ET TROJAN W32/Nymaim Checkin (2)

INFECTION TRAFFIC

Here are the significant domains/IP addresses involved in the initial infection:

66.84.17.101 port 80 - delivery.golbalcdnnode.com - hosts blackhole-style exploit page, delivers the java exploit, and provides the first malicious executable--a Trojan downloader. Some IDS events label the exploit page as a Darkleech exploit.
74.204.171.69 port 80 - main-firewalls.com - the first callback domain that provides the second malicious executable--the ransomware. It tried for another piece of malware but got a 404 Not Found error.

Here are the significant domains/IP addresses for the callback traffic after the machine was infected:

69.88.46.245 port 35987 - no domain name - IP address for an Internet service provider (ISP) in the US at Hagerstown, Maryland: Antietam Cable Television
81.139.129.74 port 35618 - no domain name - IP address for another ISP in the UK: London BT Public Internet Service
125.20.14.222 port 80 - instotsvin.ru - Russian domain name hosted on an IP address in India
76.114.253.25 port 35618 - no domain name - IP address for another ISP in the US: Comcast Cable Communications (for Dale city, VA)
120.146.252.247 port 35618 - no domain name - IP address for another ISP in the US: Comcast Cable Communications (for Boston, MA)
50.63.52.53 port 35618 - no domain name - IP address for another ISP in the US: GoDaddy.com (e-bourne.com uses this IP address.)

Chain of events to the initial infection of Trojan downloader:

19:36:47 GMT - 192.168.1.106 port 49158 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
19:36:51 GMT - 192.168.1.106 port 49159 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /favicon.ico
19:36:56 GMT - 192.168.1.106 port 49160 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
19:36:57 GMT - 192.168.1.106 port 49161 - 66.84.17.101 port 80 - delivery.globalcdnnode.com - GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7

Callback for the ransomware:

19:37:10 GMT - 192.168.1.106 port 49162 - 74.204.171.69 port 80 - main-firewalls.com - GET /6.exe
19:37:11 GMT - 192.168.1.106 port 49163 - 74.204.171.69 port 80 - main-firewalls.com - GET /1.exe?c=13

Callback activity after the machine was infected with the ransomware:

19:37:16 GMT - 192.168.1.106 port 49164 - 69.88.46.245 port 35987 - no domain name - POST /36414/j481261/index.php
19:39:26 GMT - 192.168.1.106 port 49171 - 81.139.129.74 port 35618 - no domain name - POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
19:40:10 GMT - 192.168.1.106 port 49174 - 125.20.14.222 port 80 - instotsvin.ru - POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
19:40:15 GMT - 192.168.1.106 port 49175 - 125.20.14.222 port 80 - instotsvin.ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
19:40:15 GMT - 192.168.1.106 port 49176 - 76.114.253.25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
19:40:16 GMT - 192.168.1.106 port 49177 - 120.146.252.247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
19:40:17 GMT - 192.168.1.106 port 49178 - 120.146.252.247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
19:40:20 GMT - 192.168.1.106 port 49179 - 120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
19:40:21 GMT - 192.168.1.106 port 49180 - 120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
19:40:31 GMT - 192.168.1.106 port 49181 - 120.146.252.247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
19:40:59 GMT - 192.168.1.106 port 49182 - 120.146.252.247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
19:41:03 GMT - 192.168.1.106 port 49183 - 120.146.252.247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
19:41:21 GMT - 192.168.1.106 port 49184 - 71.233.228.250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
19:41:22 GMT - 192.168.1.106 port 49185 - 71.233.228.250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
19:41:22 GMT - 192.168.1.106 port 49186 - 50.63.52.53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp

INFECTION TRAFFIC DETAILS

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil event:

ET CURRENT_EVENTS Possible BHEK Landing URI Format

Screenshot of traffic:

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil events:

ET POLICY Vulnerable Java Version 1.6.x Detected

ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct

ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs

ET INFO JAVA - Java Archive Download By Vulnerable Client

Screenshot of traffic:

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7
IP address: 66.84.17.101 port 80
domain name: delivery.globalcdnnode.com

Sguil events:

ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013

ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe

ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

ET POLICY PE EXE or DLL Windows file download

ET INFO EXE - Served Attached HTTP

ET INFO Packed Executable Download

ET POLICY Java EXE Download

ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby

Screenshot of traffic:

GET /6.exe
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com

Sguil events:

ET TROJAN Fareit/Pony Downloader Checkin 3

ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS

ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.

ET POLICY PE EXE or DLL Windows file download

ET INFO Packed Executable Download

Screenshot of traffic:

GET /1.exe?c=13
IP address: 74.204.171.69 port 80
domain name: main-firewalls.com

Sguil events: none

Screenshot of traffic:

POST /36414/j481261/index.php
IP address: 69.88.46.245 port 80
domain name: none

Sguil event:

PADS New Asset - http Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Screenshot of traffic:

POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
IP address: 81.139.129.74 port 35618
domain name: none

Sguil events: none

Screenshot of traffic:

POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
IP address: 125.20.14.222 port 80
domain name: instotsvin.ru

Sguil event:

ET TROJAN W32/Nymaim Checkin (2)

Screenshot of traffic:

The rest of the callback traffic is the same as the previous 3 entries:

125.20.14.222 port 80 - instotsvin.ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
76.114.253.25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
120.146.252.247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
120.146.252.247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
120.146.252.247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
120.146.252.247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
120.146.252.247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
120.146.252.247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
71.233.228.250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
71.233.228.250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
50.63.52.53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp

PRELIMINARY MALWARE ANALYSIS

Java exploit from 66.84.17.101 (delivery.golbalcdnnode.com):

https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9e8f13ac114243a4f09433f484f8fbc3b51c7c44650d/analysis/1380435320/

File name: java-archive-from-delivery.globalcdnnode.com.jar
File size: 28.7 KB ( 29404 bytes )
MD5: d49275523cae83a5e7639bb22604dd86
Detection ratio: 5 / 47

Malicious executable from 66.84.17.101 (delivery.golbalcdnnode.com):

https://www.virustotal.com/en/file/5fbcce025624741d66f092f6c322cce15a73a467b0042f07becd1957c4bd1b69/analysis/1380436024/

File name: malicious-executable-from-delivery.globalcdnnode.com.exe
File size: 123.0 KB ( 125952 bytes )
MD5: 9b75da764b0fa639b18548d52255689b
Detection ratio: 20 / 48

Malicious executable from 74.204.171.69 (main-firewalls.com):

https://www.virustotal.com/en/file/a8caf61ef1dac3a91269c76b98db41530afccbaba81c28d6b2981bbcc8c7d55d/analysis/1380436034/

File name: malicious-executable-from-main-firewalls.com.exe
File size: 157.5 KB ( 161280 bytes )
MD5: c8edabf40c6cf341916c75f4cea153ca
Detection ratio: 15 / 48

FINAL NOTES

Once again, here are the associated files:

ZIP of the PCAP: 2013-09-28-Blackhole-EK-traffic.pcap.zip
ZIP file of the malware: 2013-09-28-Blackhole-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.