2014-04-23 - GOON/INFINITY EK FROM 89.161.140.32 (EKOPLANOWANIE.PL) AND 59.106.13.213 (MCS-CLEAN-SAKURA.NE.JP)

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-23-Goon-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-23-Goon-EK-malware.zip

ASSOCIATED DOMAINS

• 66.96.223.222 - 66.96.223.222 - Web server returning redirects to an exploit kit
• 89.161.140.32 - ekoplanowanie.pl - Goon/Infinity EK
• 59.106.13.213 - mcs-clean.sakura.ne.jp - Goon/Infinity EK

NOTES:

• No change in the traffic patterns from the last time I blogged about this on 2014-04-15 (link).
• Just like before, the redirect points to different EK domain after a certain amount of time has passed.
• Also just like before, the malware payload was sent only on the first time I tried it.  I would've had to proxy through different IPs on each attempt to get the malware payload each time.

 

INFECTION TRAFFIC

VM:  IE 8, Flash 11.8.800.94, Java 6 update 25, and Silverlight 4.0.60531

• 05:09:20 UTC - 192.168.204.226:49158 - 66.96.223.222:80 - 66.96.223.222 - GET /zyso.cgi?18
• 05:09:21 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ekoplanowanie.pl - GET /6/6/jar/OV.html
• 05:09:26 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ekoplanowanie.pl - GET /2381.swf
• 05:09:26 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ekoplanowanie.pl - GET /5218.xap
• 05:09:28 UTC - 192.168.204.226:49160 - 89.161.140.32:80 - ekoplanowanie.pl - GET /83.mp3?rnd=11160   [malware payload]
• 05:09:29 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ekoplanowanie.pl - GET /83.mp3?rnd=36292

Events triggered in Security Onion:

• 2014-04-23 05:09:20 UTC - 192.168.204.226:49158 - 66.96.223.222:80 - ET CURRENT_EVENTS EvilTDS Redirection
• 2014-04-23 05:09:22 UTC - 89.161.140.32:80 - 192.168.204.226:49159 - ET INFO Obfuscated Split String (Double Q) 2
• 2014-04-23 05:09:26 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-04-23 05:09:26 UTC - 192.168.204.226:49159 - 89.161.140.32:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit
• 2014-04-23 05:09:28 UTC - 192.168.204.226:49160 - 89.161.140.32:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download
• 2014-04-23 05:09:28 UTC - 89.161.140.32:80 - 192.168.204.226:49160 - ET CURRENT_EVENTS GoonEK encrypted binary (3)

 

VM:  IE 10, Flash 12.0.0.38, Java 7 update 13, and Silverlight 5.1.10411

• 05:26:15 UTC - 192.168.204.194:49159 - 66.96.223.222:80 - 66.96.223.222 - GET /zyso.cgi?18
• 05:26:16 UTC - 192.168.204.194:49161 - 89.161.140.32:80 - ekoplanowanie.pl - GET /6/6/jar/OV.html
• 05:26:18 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ekoplanowanie.pl - GET /swf.swf
• 05:26:20 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ekoplanowanie.pl - GET /8936.mp3?rnd=95369
• 05:26:24 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ekoplanowanie.pl - GET /9501.swf
• 05:26:26 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ekoplanowanie.pl - GET /369.xap

Events triggered in Security Onion:

• 2014-04-23 05:26:15 UTC - 192.168.204.194:49159 - 66.96.223.222:80 - ET CURRENT_EVENTS EvilTDS Redirection
• 2014-04-23 05:26:16 UTC - 89.161.140.32:80 - 192.168.204.194:49161 - ET INFO Obfuscated Split String (Double Q) 2
• 2014-04-23 05:26:18 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-04-23 05:26:20 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download
• 2014-04-23 05:26:26 UTC - 192.168.204.194:49162 - 89.161.140.32:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit

 

VM:  IE 10 and Java 7 update 17

• 05:36:41 UTC - 192.168.204.195:49363 - 66.96.223.222:80 - 66.96.223.222 - GET /zyso.cgi?18
• 05:36:41 UTC - 192.168.204.195:49365 - 59.106.13.213:80 - mcs-clean.sakura.ne.jp - GET /_echlw_.aspx?common_obj=1&trend-src=txt&process=class
• 05:36:52 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - mcs-clean.sakura.ne.jp - GET /6238.xml
• 05:36:53 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - mcs-clean.sakura.ne.jp - GET /7635.jar
• 05:36:53 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - mcs-clean.sakura.ne.jp - GET /META-INF/services/javax.xml.datatype.DatatypeFactory

Events triggered in Security Onion:

• 2014-04-23 05:36:41 UTC - 192.168.204.195:49363 - 66.96.223.222:80 - ET CURRENT_EVENTS EvilTDS Redirection
• 2014-04-23 05:36:42 UTC - 59.106.13.213:80 - 192.168.204.195:49365 - ET INFO Obfuscated Split String (Double Q) 2
• 2014-04-23 05:36:52 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-23 05:36:52 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)
• 2014-04-23 05:36:53 UTC - 59.106.13.213:80 - 192.168.204.195:49367 - ET INFO JAR Size Under 30K Size - Potentially Hostile
• 2014-04-23 05:36:53 UTC - 59.106.13.213:80 - 192.168.204.195:49367 - ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori
• 2014-04-23 05:36:53 UTC - 59.106.13.213:80 - 192.168.204.195:49367 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 2014-04-23 05:36:53 UTC - 59.106.13.213:80 - 192.168.204.195:49367 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-23 05:36:53 UTC - 192.168.204.195:49367 - 59.106.13.213:80 - ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-23-Goon-EK-silverlight-exploit.xap
File size:  13.3 KB ( 13662 bytes )
MD5 hash:  1df198a54fcda8de939f27b7b1d4c228
Detection ratio:  0 / 50
First submission:  2014-04-22 19:07:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/afe878d4d082a1cdd45e6355c7f884b6fe42454f13b5be163d8b3775748fe9e6/analysis/

 

JAVA EXPLOIT

File name:  2014-04-23-Goon-EK-java-exploit.jar
File size:  11.7 KB ( 11956 bytes )
MD5 hash:  6cfb13e2d028cea367ae996c4f90cb20
Detection ratio:  4 / 51
First submission:  2014-04-23 06:41:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f230492c466a935ca3129442f9a0122f7736d0d97bf569b35695f72cb1deeb7/analysis/

 

FLASH FILE SEEN IN IE8 AND IE10 TRAFFIC

File name:  2014-04-23-Goon-EK-flash-file-ie8-and-ie10.swf
File size:  6.0 KB ( 6143 bytes )
MD5 hash:  b20a2e4ff34c97e6714f500b9ccd8485
Detection ratio:  1 / 51
First submission:  2014-04-21 07:03:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/912b53ffc1c7c1a479e9b6502a82e1d6ecf3e4b181b32fb7a323700187b15674/analysis/

FLASH FILE ONLY NOTED IN IE10 TRAFFIC

File name:  2014-04-23-Goon-EK-flash-file-ie10-only.swf
File size:  5.8 KB ( 5908 bytes )
MD5 hash:  7890096fc1557e3ba11414b553b8237b
Detection ratio:  0 / 51
First submission:  2014-04-21 07:03:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2442dd36044fa2b3efd0b4367ab23bed26c42116085821d55c46954d35521fef/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-23-Goon-EK-malware-payload.exe
File size:  134.4 KB ( 137576 bytes )
MD5 hash:  8c970d380537aa513840e534e26194ae
Detection ratio:  23 / 51
First submission:  2014-04-18 08:14:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/800134f1b4e19de8ae311f1283c707f5886b5f408f6830cf545f22c4ced76c42/analysis/
Malwr link:  https://malwr.com/analysis/ZDQyNzgwY2EwMmM5NGMxOTlmMDczZjMzZjdkOTk2MTk/

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-23-Goon-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-23-Goon-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.