2013-11-23 - CAPHAW DRIVEBY LEADS TO STYX EXPLOIT KIT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2013-11-23-Styx-EK-traffic.pcap.zip 4.0 MB (3,991,711 bytes)
- 2013-11-23-Styx-EK-malware.zip 503.2 kB (503,213 bytes)
NOTES:
Had some time this past Friday to infect a vulnerable Windows VM and study the infection chain. I found a site named www.perfumelover[.]co[.]uk which redirected to a Styx exploit kit. Clean MX Virus Watch shows URLs from this site infected with Troj/JSRedir-HP as early as 2013-08-28, while Scumware.org has URLs from this site as early as 2013-10-14.
McAfee Labs has a blog article on the Styx exploit kit, which you can read about here. The infection traffic looks similar to the image below, which I've modified slightly from that McAfee article:
Let's examine the infection traffic in more detail...
SNORT EVENTS
I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25. The infection traffic generated the following events in Sguil (all times GMT):
Screen shot of Sguil events for this infection.
- ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
- ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html
- ET CURRENT_EVENTS Styx EK - /jorg.html
- ET CURRENT_EVENTS Styx EK - /jvvn.html
- ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html
- ET CURRENT_EVENTS Styx EK jply.html
- ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2
- ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
- ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit
- ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload
- ET INFO EXE - Served Attached HTTP
- ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client
- ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC
INFECTION CHAIN OF EVENTS
ASSOCIATED DOMAINS
- 63.141.137[.]25 - www.perfumelover[.]co[.]uk - compromised website that channeled traffic to the exploit page
- 85.25.13[.]66 - pkktmkmnqxhgqbqmohlrv.peguards[.]cc - first in a series of redirects from the compromised website
- 85.25.13[.]66 - pkktmkmnqxhgqbqmohlrv.klr[.]su - second in a series of redirects from the compromised website
- 85.25.13[.]66 - sysinfo[.]su - third in a series of redirects from the compromised website
- 185.31.209[.]83 - diq.endpointcash[.]asia - Domain hosting Styx exploit kit that delivers the exploit and the malicious executable
INITIAL INFECTION CHAIN
- 23:55:11 - 192.168.204[.]134 port 50139 - 63.141.137[.]25 port 80 ( www.perfumelover[.]co[.]uk ) - GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/
- 23:55:13 - 192.168.204[.]134 port 50167 - 85.25.13[.]66 port 80 ( pkktmkmnqxhgqbqmohlrv.peguards[.]cc ) - GET /9cfb37b8iq/get.js
- 23:55:15 - 192.168.204[.]134 port 50168 - 85.25.13[.]66 port 80 ( pkktmkmnqxhgqbqmohlrv.klr[.]su ) - GET /statistic.js?k=9cfb37b8iq&d=peguards[.]cc
- 23:55:18 - 192.168.204[.]134 port 50171 - 85.25.13[.]66 port 80 ( sysinfo[.]su ) - GET /ping.html?id=9cfb37b8iq&js=1&key=default
- 23:55:21 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /pu9C7E0Mw/[long string]/09PT0/
- 23:55:21 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/
- 23:55:21 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jorg.html
- 23:55:22 - 192.168.204[.]134 port 50203 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jvvn.html
- 23:55:22 - 192.168.204[.]134 port 50205 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/pliexp.html
- 23:55:22 - 192.168.204[.]134 port 50204 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/fnts.html
- 23:55:22 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/jply.html
- 23:55:23 - 192.168.204[.]134 port 50204 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/bhtntqlj.html
- 23:55:23 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/UPURxASzc.eot [CVE-2011-3402 Exploit]
- 23:55:24 - 192.168.204[.]134 port 50203 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/iexp.html
- 23:55:25 - 192.168.204[.]134 port 50205 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /7eaPO-U07g-EB0-Nsg40/[long string]/TN/ixlc.html
- 23:55:36 - 192.168.204[.]134 port 50195 - 185.31.209[.]83 port 80 ( diq.endpointcash[.]asia ) - GET /l26tm20/[long string]/l7xD5zhET9.exe?7F7x=5fa77&h=33 [Malicious executable]
NOTE: More traffic follows where Java exploits are sent from diq.endpointcash[.]asia, and the same malicious executable is delivered again. I've omitted those additional events in the above list, so we can focus on the first successful exploit.
POST INFECTION CALLBACK TRAFFIC
- 23:55:40 - 192.168.204[.]134 port 50213 - 69.163.43[.]175 port 443 - xr7zd1hr5cqn.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50218 - 198.52.243[.]229 port 443 - 4wn6f3o.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50220 - 198.52.243[.]229 port 443 - 59cptvob3.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50219 - 181.41.193[.]168 port 443 - 21cqk542pejhmzqy.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50221 - 198.52.243[.]229 port 443 - 4wn6f3o.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50222 - 198.52.243[.]229 port 443 - 59cptvob3.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50223 - 69.163.43[.]175 port 443 - cutjmnj0b.www5.kre[.]cc
- 23:55:43 - 192.168.204[.]134 port 50224 - 181.41.193[.]168 port 443 - xr7ygt7mk4enngh0.www5.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50227 - 69.163.43[.]175 port 443 - cutjmnj0b.www5.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50229 - 198.52.243[.]229 port 443 - uwablphuluq.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50228 - 181.41.193[.]168 port 443 - 21cqk542pejhmzqy.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50231 - 198.52.243[.]229 port 443 - uwablphuluq.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50230 - 181.41.202[.]249 port 443 - 84c3gl.www5.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50232 - 181.41.193[.]168 port 443 - xr7ygt7mk4enngh0.www5.kre[.]cc
- 23:55:44 - 192.168.204[.]134 port 50235 - 181.41.202[.]249 port 443 - 84c3gl.www5.kre[.]cc
- 23:55:45 - 192.168.204[.]134 port 50237 - 181.41.202[.]249 port 443 - jzgixx97hffu7c8k.kre[.]cc
- 23:55:45 - 192.168.204[.]134 port 50240 - 69.163.43[.]175 port 443 - 3fnd5y95x6nmmp7.kre[.]cc
- 23:55:45 - 192.168.204[.]134 port 50239 - 181.41.202[.]249 port 443 - jzgixx97hffu7c8k.kre[.]cc
- 23:55:46 - 192.168.204[.]134 port 50225 - 109.123.127[.]228 port 443 - xweie2.kre[.]cc
- 23:56:09 - 192.168.204[.]134 port 50273 - 181.41.202[.]249 port 443 - 81x8fi5p.www5.kre[.]cc
- 23:56:13 - 192.168.204[.]134 port 50289 - 109.123.127[.]228 port 443 - 1aw2nml.kre[.]cc
NOTE: In addition to kre[.]cc, other suffixes in the SSL callback traffic include bai[.]su, pfh[.]cc, rwn[.]cc, sgu[.]cc, and sxo[.]su.
INFECTION TRAFFIC DETAILS
IP address: 63.141.137[.]25 port 80
domain name: www.perfumelover[.]co[.]uk
HTTP request: GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/
Sguil events: None
Screenshot of traffic:
In the HTML of the web page, we see javascript that leads to the next step in the infection chain:
The underlined portion shown is hexadecimal that translates to hxxp[:]//"+s1+".peguards[.]cc/9cfb37b8iq/get.js
where s1 is a variable prefix used with the domain name.
IP address: 85.25.13[.]66 port 80
domain name: pkktmkmnqxhgqbqmohlrv.peguards[.]cc
HTTP request: GET /9cfb37b8iq/get.js
Sguil events: None
Screenshot of traffic:
The hexadecimal script references the next link in the infection chain.
IP address: 85.25.13[.]66 port 80
domain name: pkktmkmnqxhgqbqmohlrv.klr[.]su
HTTP request: GET /statistic.js?k=9cfb37b8iq&d=peguards[.]cc
Sguil event: ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js
Screenshot of traffic:
IP address: 85.25.13[.]66 port 80
domain name: sysinfo[.]su
HTTP request: GET /ping.html?id=9cfb37b8iq&js=1&key=default
Sguil event: ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html
Screenshot of traffic:
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP requests (the first returned a "302 found" that redirected to the second):
- GET /pu9C7E0Mw/h70J0a717s_WC14YC_R0bXe21/3ytY0q-BxO0kWj_t0XUD/606q8z0-EEmr0RJ-7o/09PT0/
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/
Sguil events: None
Screenshot of traffic:
This is the first page of the Styx exploit kit.
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP requests:
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jorg.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jvvn.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/fnts.html
Sguil events:
- ET CURRENT_EVENTS Styx EK - /jorg.html
- ET CURRENT_EVENTS Styx EK - /jvvn.html
- ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP request: GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/jply.html
Sguil events:
- ET CURRENT_EVENTS Styx EK jply.html
- ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2
- ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
- ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit
- ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload
Screenshot of traffic:
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP requests:
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/pliexp.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/bhtntqlj.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/iexp.html
- GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/ixlc.html
Sguil events: None
NOTE: These are some of the other HTML pages delivered by this version of the Styx exploit kit. No updated signatures existed for these on Security Onion as of 2013-11-23.
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP request: GET /7eaPO-U07g-EB0-Nsg40/DLmI0k-5JW0zKS_M02-7JV0xBuX_02FB_M08jy_A0zfm-c0B08O0mYp/U04_7Zf0tnqM-0dbzs_0IOYO0/PIQk1_575V0-n33/A0d8o40Y_n8Y0vzYy/161/9814kEX-0Zu/h90/yKo0-0geg/p0jAgs0F/jzr02y-Bx0KxQ40_eMPJ0L/hOL0Q4h-g0V_uRO0-2bk_M159qV_02EKL0qyGQ0/7cD-h0Gx_hu0qUbq/0P8n/q09GX-b0C6hb_000O80_wnKe0gGtr0_Vf8U0_9l2V0Ru/wW0vF3D/1205x0T/KsG0Tc8O1-0kZ3/0Kl5w0ZQ6-F0Kww/R11KRf0o_dD20FQ/TN/UPURxASzc.eot
Sguil events: None
Screenshot of traffic:
This EOT file is an exploit that targets CVE-2011-3402.
IP address: 185.31.209[.]83 port 80
domain name: diq.endpointcash[.]asia
HTTP request: GET /l26tm20/IwGE-0LFSD0_XU9-x0GPGO0CeUj/008_Nf0FyT5-07FXi13X_Hy17_moB018/CS0/LTQ_Z0MK2_Y07UJ6/0O4n_v0KS4Q0BnlP_00AH00Ps-0I0/LgvY0J/BFN07DeE-0lCzM/11aU/t0OduV_0e_s4M13r/960gdFk_0Tnf5_0Rg_7x0wx-Ys0WA/dY0RY6_f04/IRu0svJE-0fr8L0V1/MS0L_fXJ0/8SIT-0zi-xO0-Xkic0ke_7o0t6-930luSJ0m_2Nm05AUO-07KZI0/GLA-s0/oMaE0_8uDw111M-J0ghng-0k1V-q0zsst0-H05E00/CFp/0rPut0g_9U_50bE8d0/CTe-g0RXv-R04MFA0/qcf00F-vrK/l7xD5zhET9.exe?7F7x=5fa77&h=33
Sguil events:
- ET INFO EXE - Served Attached HTTP
- ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client
Screenshot of traffic:
IP address: various on port 443
domain name: various
Sguil event: ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC
Screenshot of traffic:
Filtered in wireshark, so you can see the domain names listed for the SSL handshakes.
ADDITIONAL NOTES ON THE INFECTION TRAFFIC
As noted earlier, other exploits (Java-based) were sent, and the same malicious EXE was downloaded again. In the image below, I've highlighted the events that I didn't review in this blog entry:
Feel free to review the pcap for more details on the extra infection traffic.
The malicious EXE appears to be some variation on Kazy or Kryptic, which is a Trojan downloader. However, I didn't notice any follow-up downloads on the Windows VM, so I executed the malicious EXE in the AppData\Local\Temp folder on a physical Windows machine. That returned another piece of malware, which I've included in the preliminary malware analysis below.
PRELIMINARY MALWARE ANALYSIS
EOT exploit from 185.31.209[.]83 port 80 (diq.endpointcash[.]asia):
https://www.virustotal.com/gui/file/c9768dd18be40e8cc14e9a6c7eb0dad36c4dd600acbab5903970f2d3865a8347/
File name: cfb7461af2c378522efb4796ec2a96b8.eot File size: 4.3 KB ( 4,331 bytes )
First submitted: 2013-11-24 04:37:18 GMT (by me)
Malicious EXE from 185.31.209[.]83 port 80 (diq.endpointcash[.]asia):
https://www.virustotal.com/gui/file/a8e9182fa7768417b64579f81867ea9542980ee1de8d2480fd5aa9dcec5a85ca
File name: 28452bd26e2145c12f6b24b36ca37d98.exe File size: 327.7 KB ( 327,680 bytes )
First submitted: 2013-11-23 07:31:53 GMT (by me)
Second malicious EXE downloaded by the first EXE on 2013-11-23:
https://www.virustotal.com/gui/file/2c88599470a2151739c3811d82caaeb6fd92785d99df47d571f34afaaf6145ee
File name: 2f354eb035e12d467d8229858d381328.exe File size: 467.0 KB ( 466,976 bytes )
First submitted: 2013-11-24 00:40:34 GMT (by me)
I also took the Java archives I saw in the VM's AppData\Local\Temp folder and submitted them to Virus Total.
- MD5: a1b81bc04f8bacd03c1bda59ceb2290f - Size: 11,299 bytes - Virus Total link
- MD5: 901769baa0480718ee8a97e66ee678b4 - Size: 11,299 bytes - Virus Total link
- MD5: 844dbb812117cffc0b845ff6d66f35b1 - Size: 11,302 bytes - Virus Total link
- MD5: 3af8065d3c46e44dee05dfc42f1ecfc9 - Size: 16,427 bytes - Virus Total link
- MD5: 063a2e4f7061c07bd24c6e85b1d441f5 - Size: 16,428 bytes - Virus Total link
Archive contents of the first Java exploit (the one at 11 KB or so):
Archive contents of the second Java exploit (the one at 16 KB or so):
Click here to return to the main page.