Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-20

2014-01-20 - ANOTHER STYX EK EXAMPLE

ASSOCIATED FILES:

ZIP of the PCAP: 2014-01-20-Styx-EK-traffic.pcap.zip
ZIP file of the malware: 2014-01-20-Styx-EK-malware.zip

NOTES:

Here's a quick post for the PCAP and malware on a Styx EK infection, very similar to the traffic I covered on 2013-12-27. All times listed below are from the PCAP and use Central Standard Time (GMT minus 6 hours).

TRAFFIC

The original referer was the result of a Google search:

09:44:18 - 172.16.2.149:49179 - 184.168.172.1:80 - www.nuisancecalls.org.uk - GET /showthread.php?22477-01933441081-Read-this-if-had-calls-from-01933441081
09:44:19 - 184.168.172.1:80 - 172.16.2.149:49179 - HTTP/1.1 302 Moved Temporarily

A series of redirects:

09:44:19 - 172.16.2.149:49181 - 93.170.131.2:80 - gqillqigqilqigqiqlqiigqilqiiiqgg.esmtp.biz - GET /1.php
09:44:19 - 93.170.131.2:80 - 172.16.2.149:49181 - HTTP/1.1 302 Found
09:44:20 - 172.16.2.149:49182 - 93.170.131.2:80 - gqgqgqgql1iqli1lil1qgiql.ocry.com - GET /i1gqgqilil1/all4.php
09:44:20 - 93.170.131.2:80 - 172.16.2.149:49182 - HTTP/1.1 302 Found
09:44:20 - 172.16.2.149:49183 - 50.63.75.1:80 - jogaming.com - GET /templates/beez/1.php?uid=11860
09:44:21 - 50.63.75.1:80 - 172.16.2.149:49183 - HTTP/1.1 302 Moved Temporarily
09:44:21 - 172.16.2.149:49184 - 188.116.34.246:80 - www3.vhreqzbb9so750.4pu.com - GET /?g0r5z0=i6DbmbdjnN3bya6rk5pvo5WjqG2UYpip7pyzm6PGp92SmnKrn5pZ&f93f6c56=%08%04%02%05%08%09%02%08%04
09:44:22 188.116.34.246:80 - 172.16.2.149:49184 - HTTP/1.1 302 Moved Temporarily

Goes to a landing page:

09:44:22 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /xkfd8mp?y7t45=nZ3mnHLpmKnQ4F2smcqzZ[long string]
09:44:22 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /20b363d.js
09:44:22 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /pictures/fl.swf
09:44:23 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - POST /
09:44:23 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /f434312.js
09:44:23 - 172.16.2.149:49186 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /i.html
09:44:26 - 172.16.2.149:49185 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /VYqFiT.html

After various HTTP GET requests for images from www1.z18hg770fv466u.4pu.com, the exploit traffic folows:

09:44:29 - 172.16.2.149:49191 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /EYlntXRw.jar
09:44:30 - 172.16.2.149:49192 - 188.116.34.246:80 - www1.z18hg770fv466u.4pu.com - GET /EYlntXRw.jar
09:44:30 - 172.16.2.149:49193 - 188.116.34.246:80 - www2.v2uhn2761ktres.4pu.com - GET /?y5ox75ce8=nZjc3HSa28pe65vZpZ9jb2xhkejm0bCsZtCummWbnnCmlZvc4W9oaWqbpqWXqa9nleSqcpWZaZyT18rgb4mKfJHk28mwrFvinA%3D%3D&h=16

MALWARE

File name: EYlntXRw.jar
File size:&bnsp; 27.8 KB ( 28515 bytes )
MD5 hash: 89e470fcc466d648c205a91daac17aa8
VirusTotal link: https://www.virustotal.com/en/file/79c63c54ba9e911a808a72ea418e079932029eb48c199b183471fbfcbfe0904b/analysis/
Detection ratio: 4 / 49
First submission: 2014-01-20 23:33:20 GMT

File name: glrgdcieqhaurbaiksf.exe
File size:&bnsp; 895.0 KB ( 916480 bytes )
MD5 hash: 956ca1c210e24c6168a84ea2733f7508
VirusTotal link: https://www.virustotal.com/en/file/da365d911bed34e66c5335ad1413e4f0b4cfd1d244e0fd03331359b77aeef1ad/analysis/
Detection ratio: 17 / 48
First submission: 2014-01-20 23:33:31 GMT

FINAL NOTES

Once again, here are the associated files:

ZIP of the PCAP: 2014-01-20-Styx-EK-traffic.pcap.zip
ZIP file of the malware: 2014-01-20-Styx-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.