2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2013-11-15-Gondad-EK-traffic.pcap.zip   326.2 kB (326,172 bytes)
• 2013-11-15-Gondad-EK-malware.zip   39.6 kB (39,588 bytes)
• 2013-11-15-malware-analysis-of-Gondad-EK-payload.pdf.zip   113.4 kB (113,357 bytes)

 

NOTES:

I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS.  In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.

Screen shot from the infected VM.

Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here.  Let's see what the infection traffic looks like...

SNORT EVENTS

 

I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25.  The infection traffic generated the following events in Sguil (all times GMT):

• 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52337 - ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
• 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52338 - ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
• 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52340 - ET INFO JAVA - ClassID?
• 23:31:29 - LOCAL_HOST port 52344 - 211.233.50[.]214 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS Possible g01pack Jar download
• 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET TROJAN Java Archive sent when remote host claims to send an image
• 23:31:29 - LOCAL_HOST port 52345 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
• 23:31:30 - LOCAL_HOST port 52346 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
• 23:31:30 - LOCAL_HOST port 52347 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
• 23:31:34 - LOCAL_HOST port 52348 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
• 23:31:39 - 223.130.89[.]28 port 80 - LOCAL_HOST port 52349 - ET POLICY PE EXE or DLL Windows file download

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 84.124.94[.]27 - musculosysexo[.]com - compromised website that channeled traffic to the exploit page
• 211.233.50[.]214 - www.inkwa[.]co[.]kr - exploit page that delivered the java exploit
• 223.130.89[.]28 - www.dcart[.]co[.]kr - malware delivery domain that sent the malicious EXE
• 61.147.124[.]125 - count17.51yes[.]com - 51yes[.]com is associated with malicious activity, and this domain possibly helped set up the malware delivery

INITIAL INFECTION CHAIN

• 23:31:14 - LOCAL_HOST port 52331 - 84.124.94[.]27 port 80 (musculosysexo[.]com) - GET /
• 23:31:19 - LOCAL_HOST port 52337 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/index.html
• 23:31:20 - LOCAL_HOST port 52338 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/swfobject.js
• 23:31:20 - LOCAL_HOST port 52340 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/jpg.js
• 23:31:23 - LOCAL_HOST port 52343 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /favicon.ico
• 23:31:20 - LOCAL_HOST port 52341 - 61.147.124[.]125 port 80 (count17.51yes[.]com) - GET /click.aspx?id=170133288&logo=3
• 23:31:22 - LOCAL_HOST port 52342 - 61.147.124[.]125 port 80 (count17.51yes[.]com) - GET /sa.htm?id=170133288&refe=&location=http%3A//www.inkwa[.]co[.]kr/w3c/w/index.html&[long string]
• 23:31:31 - LOCAL_HOST port 52344 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/vekqkr2.jpg  [NOTE: Java exploit]
• 23:31:31 - LOCAL_HOST port 52345 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/com.class
• 23:31:32 - LOCAL_HOST port 52346 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/edu.class
• 23:31:32 - LOCAL_HOST port 52347 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/net.class
• 23:31:36 - LOCAL_HOST port 52348 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/org.class
• 23:31:41 - LOCAL_HOST port 52349 - 223.130.89[.]28 port 80 (www.dcart[.]co[.]kr) - GET /kcp/winlog.exe  [NOTE: malicious EXE]

POST INFECTION CALLBACK TRAFFIC

• 23:31:52 - Standard query 0xd8b9 A qqq.qesff[.]com
• 23:31:52 - Standard query response 0xd8b9 A 112.218.71[.]110
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [SYN]
• 23:31:52 - 112.218.71[.]110 port 8081 - LOCAL_HOST port 52350 - [SYN, ACK]
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [ACK]
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [PSH, ACK] 488 bytes
• 23:31:52 - 112.218.71[.]110 port 8081 - LOCAL_HOST port 52350 - [ACK]

 

INFECTION TRAFFIC DETAILS

IP address: 84.124.94[.]27 port 80
domain name: musculosysexo[.]com
HTTP request: GET /

Sguil events: None

Screenshot of traffic:

I couldn't figure out how it got from here to the next step in the infection chain.

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/index.html

Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/swfobject.js

Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/jpg.js

Sguil event: ET INFO JAVA - ClassID?

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/vekqkr2.jpg

Sguil events:

• ET POLICY Vulnerable Java Version 1.6.x Detected
• ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• ET CURRENT_EVENTS Possible g01pack Jar download
• ET INFO JAVA - Java Archive Download By Vulnerable Client
• ET TROJAN Java Archive sent when remote host claims to send an image

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class

Sguil events:

• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class

NOTE: These HTTP GET requests all returned a response of 404 Not Found

 

IP address: 223.130.89[.]28 port 80
domain name: www.dcart[.]co[.]kr
HTTP request: GET /kcp/winlog.exe

Sguil event: ET POLICY PE EXE or DLL Windows file download

Screenshot of traffic:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr):

https://www.virustotal.com/gui/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa

File name:  2013-11-15-java-exploit.jar
File size:  2.5 KB ( 2,463 bytes )

First submitted:  2013-11-16 01:07:06 GMT
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.

Java archive: contents:

Malicious binary downloaded from 223.130.89[.]28 port 80 (www.dcart[.]co[.]kr):

https://www.virustotal.com/gui/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0

File name:  2013-11-15-malicious-binary.exe
File size:  46.6 KB ( 46,592 bytes )
First submitted:  2013-11-15 14:49:21 GMT

Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy.  Unruy appears to be a Trojan downloader.  We saw it call out, but no additional malware was downloaded in this case.

 

Click here to return to the main page.