2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE
ASSOCIATED FILES:
- ZIP of the PCAP: 2013-11-15-Gondad-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-11-15-Gondad-EK-malware.zip
- PDF file with analysis of Gondad EK malware payload: 2013-11-15-malware-analysis-of-Gondad-EK-payload.pdf
NOTES:
I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS. In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.
Screen shot from the infected VM.
Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here. Let's see what the infection traffic looks like...
SNORT EVENTS
I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25. The infection traffic generated the following events in Sguil (all times GMT):
- 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52337 - ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
- 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52338 - ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
- 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52340 - ET INFO JAVA - ClassID?
- 23:31:29 - LOCAL_HOST port 52344 - 211.233.50.214 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
- 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS Possible g01pack Jar download
- 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET INFO JAVA - Java Archive Download By Vulnerable Client
- 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET TROJAN Java Archive sent when remote host claims to send an image
- 23:31:29 - LOCAL_HOST port 52345 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
- 23:31:30 - LOCAL_HOST port 52346 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
- 23:31:30 - LOCAL_HOST port 52347 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
- 23:31:34 - LOCAL_HOST port 52348 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
- 23:31:39 - 223.130.89.28 port 80 - LOCAL_HOST port 52349 - ET POLICY PE EXE or DLL Windows file download
INFECTION CHAIN OF EVENTS
ASSOCIATED DOMAINS
- 84.124.94.27 - musculosysexo.com - compromised website that channeled traffic to the exploit page
- 211.233.50.214 - www.inkwa.co.kr - exploit page that delivered the java exploit
- 223.130.89.28 - www.dcart.co.kr - malware delivery domain that sent the malicious EXE
- 61.147.124.125 - count17.51yes.com - 51yes.com is associated with malicious activity, and this domain possibly helped set up the malware delivery
INITIAL INFECTION CHAIN
- 23:31:14 - LOCAL_HOST port 52331 - 84.124.94.27 port 80 (musculosysexo.com) - GET /
- 23:31:19 - LOCAL_HOST port 52337 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/index.html
- 23:31:20 - LOCAL_HOST port 52338 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/swfobject.js
- 23:31:20 - LOCAL_HOST port 52340 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/jpg.js
- 23:31:23 - LOCAL_HOST port 52343 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /favicon.ico
- 23:31:20 - LOCAL_HOST port 52341 - 61.147.124.125 port 80 (count17.51yes.com) - GET /click.aspx?id=170133288&logo=3
- 23:31:22 - LOCAL_HOST port 52342 - 61.147.124.125 port 80 (count17.51yes.com) - GET /sa.htm?id=170133288&refe=&location=http%3A//www.inkwa.co.kr/w3c/w/index.html&[long string]
- 23:31:31 - LOCAL_HOST port 52344 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/vekqkr2.jpg [NOTE: Java exploit]
- 23:31:31 - LOCAL_HOST port 52345 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/com.class
- 23:31:32 - LOCAL_HOST port 52346 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/edu.class
- 23:31:32 - LOCAL_HOST port 52347 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/net.class
- 23:31:36 - LOCAL_HOST port 52348 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/org.class
- 23:31:41 - LOCAL_HOST port 52349 - 223.130.89.28 port 80 (www.dcart.co.kr) - GET /kcp/winlog.exe [NOTE: malicious EXE]
POST INFECTION CALLBACK TRAFFIC
- 23:31:52 - Standard query 0xd8b9 A qqq.qesff.com
- 23:31:52 - Standard query response 0xd8b9 A 112.218.71.110
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [SYN]
- 23:31:52 - 112.218.71.110 port 8081 - LOCAL_HOST port 52350 - [SYN, ACK]
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [ACK]
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [PSH, ACK] 488 bytes
- 23:31:52 - 112.218.71.110 port 8081 - LOCAL_HOST port 52350 - [ACK]
INFECTION TRAFFIC DETAILS
IP address: 84.124.94.27 port 80
domain name: musculosysexo.com
HTTP request: GET /
Sguil events: None
Screenshot of traffic:
I couldn't figure out how it got from here to the next step in the infection chain.
IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/index.html
Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
Screenshot of traffic:
IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/swfobject.js
Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
Screenshot of traffic:
IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/jpg.js
Sguil event: ET INFO JAVA - ClassID?
Screenshot of traffic:
IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/vekqkr2.jpg
Sguil events:
- ET POLICY Vulnerable Java Version 1.6.x Detected
- ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- ET CURRENT_EVENTS Possible g01pack Jar download
- ET INFO JAVA - Java Archive Download By Vulnerable Client
- ET TROJAN Java Archive sent when remote host claims to send an image
Screenshot of traffic:
IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class
Sguil events:
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
NOTE: These HTTP GET requests all returned a response of 404 Not Found
IP address: 223.130.89.28 port 80
domain name: www.dcart.co.kr
HTTP request: GET /kcp/winlog.exe
Sguil event: ET POLICY PE EXE or DLL Windows file download
Screenshot of traffic:
PRELIMINARY MALWARE ANALYSIS
Java exploit from 211.233.50.214 port 80 (www.inkwa.co.kr):
https://www.virustotal.com/en/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa/analysis/1384564026/
File name: 2013-11-15-java-exploit.jar File size: 2.4 KB ( 2463 bytes )
MD5 hash: c0d693e9c3c41c217541f5db7de6f459
Detection ratio: 9 / 46
First submitted: 2013-11-16 01:07:06 GMT
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.
Java archive: contents:
Malicious binary downloaded from 223.130.89.28 port 80 (www.dcart.co.kr):
https://www.virustotal.com/en/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0/analysis/1384564048/
File name: 2013-11-15-malicious-binary.exe File size: 45.5 KB ( 46592 bytes )
MD5 hash: 1297b79f039b802fc09bcada1d3763e7
Detection ratio: 12 / 46
First submitted: 2013-11-15 14:49:21 GMT
Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy. Unruy appears to be a Trojan downloader. We saw it call out, but no additional malware was downloaded in this case.
FINAL NOTES
Once again, here are the associated files:
- ZIP of the PCAP: 2013-11-15-Gondad-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-11-15-Gondad-EK-malware.zip
- PDF file with analysis of Gondad EK malware payload: 2013-11-15-malware-analysis-of-Gondad-EK-payload.pdf
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.