2014-06-04 - INFINITY EK FROM 173.236.152.199 - BCREATIVEWORKS.COM

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-06-04-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-04-Infinity-EK-malware.zip

NOTES:

• The PCAP contains a failed infection attempt using IE 10, along with the successful attempt with IE 8.
• The chain of events below only shows the successful IE 8 infection.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 213.5.176.14 - www.johnknightglass.co.uk - Compromised website
• 87.239.158.34 - www.investinbg.co.uk - Redirect
• 173.236.152.199 - bcreativeworks.com - Infinity EK
• 87.118.90.136 - 87.118.90.136 - Post-infection Necurs checkin

COMPROMISED WEBSITE AND REDIRECTS:

• 07:13:27 UTC - 192.168.204.228:49171 - 213.5.176.14:80 - www.johnknightglass.co.uk - GET /
• 07:13:28 UTC - 192.168.204.228:49184 - 87.239.158.34:80 - www.investinbg.co.uk - GET /count.php?id=9959892
• 07:13:28 UTC - 192.168.204.228:49184 - 87.239.158.34:80 - www.investinbg.co.uk - GET /count.php?id=9959868
• 07:13:33 UTC - 192.168.204.228:49184 - 87.239.158.34:80 - www.investinbg.co.uk - GET /count.php?id=9959869

INFINITY EK:

• 07:13:28 UTC - 192.168.204.228:49188 - 173.236.152.199:80 - bcreativeworks.com - GET /_ihi_.htm
• 07:13:33 UTC - 192.168.204.228:49193 - 173.236.152.199:80 - bcreativeworks.com - GET /9844.swf
• 07:13:34 UTC - 192.168.204.228:49193 - 173.236.152.199:80 - bcreativeworks.com - GET /6137.xap
• 07:13:37 UTC - 192.168.204.228:49195 - 173.236.152.199:80 - bcreativeworks.com - GET /66.mp3?rnd=90611
• 07:13:39 UTC - 192.168.204.228:49195 - 173.236.152.199:80 - bcreativeworks.com - GET /66.mp3?rnd=34426

POST-INFECTION CALLBACK TRAFFIC:

• 07:14:00 UTC - 192.168.204.228:49197 - 87.118.90.136:80 - 87.118.90.136 - POST /news/index.php
• 07:14:01 UTC - 192.168.204.228:49197 - 87.118.90.136:80 - 87.118.90.136 - POST /news/index.php
• 07:14:03 UTC - 192.168.204.228:49197 - 87.118.90.136:80 - 87.118.90.136 - POST /news/index.php

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-06-04-Infinity-EK-flash-exploit-ie8.swf
File size:  6.5 KB ( 6672 bytes )
MD5 hash:  7460394d9a4feaebef0cbb41f62a452b
Detection ratio:  3 / 51
First submission:  2014-06-03 14:16:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81973f82918199070c9208cdcfc416c481162e0d0e832e483aeb1245f2d624d5/analysis/

File name:  2014-06-04-Infinity-EK-flash-exploit-ie10.swf
File size:  6.0 KB ( 6186 bytes )
MD5 hash:  8b0e41535554df698506fbd09bc6366e
Detection ratio:  1 / 51
First submission:  2014-06-04 08:08:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e3ea4b6c7c31de2e80082e817dc477ac078e74005ac393a32c100916c3ee5b86/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-04-Infinity-EK-silverlight-exploit.xap
File size:  15.1 KB ( 15419 bytes )
MD5 hash:  933449d7357efaf47641ca505615a78d
Detection ratio:  2 / 51
First submission:  2014-05-31 16:15:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fbd1bc67d84c8179e78ece6bf65035ad1dede3f646704432f5c6489b139cb130/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-04-Infinity-EK-malware-payload.exe
File size:  115.0 KB ( 117760 bytes )
MD5 hash:  431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio:  33 / 51
First submission:  2014-05-30 11:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/
Malwr link:  https://malwr.com/analysis/ODAwYWRjOTRjNDY0NGM5ZWE5YmZlOWU0MTMwMDBkZDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-04 07:13:29 UTC - 173.236.152.199:80 - 192.168.204.228:49188 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (sid:2018440)
• 2014-06-04 07:13:34 UTC - 192.168.204.228:49193 - 173.236.152.199:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 2014-06-04 07:13:37 UTC - 192.168.204.228:49195 - 173.236.152.199:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (sid:2017998)
• 2014-06-04 07:13:38 UTC - 173.236.152.199:80 - 192.168.204.228:49195 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 2014-06-04 07:13:46 UTC - 192.168.204.228:55433 - 162.243.56.54:53 - ET CURRENT_EVENTS DNS Query Domain .bit (sid:2017645)
• 2014-06-04 07:14:00 UTC - 192.168.204.228:49197 - 87.118.90.136:80 - ETPRO TROJAN Win32/Necurs Checkin 4 (sid:2808090)
• 2014-06-04 07:17:04 UTC - 192.168.204.228:49208 - 173.236.152.199:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) (sid:2017199)
• 2014-06-04 07:17:04 UTC - 173.236.152.199:80 - 192.168.204.228:49208 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (sid:2017064)

Sourcefire VRT ruleset:

• 2014-06-04 07:13:37 UTC - 192.168.204.228:49195 - 173.236.152.199:80 - EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (sid:30319)
• 2014-06-04 07:13:38 UTC - 173.236.152.199:80 - 192.168.204.228:49195 - EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download (sid:30934)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to Infinity EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-04-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-04-Infinity-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.