2014-06-30 - INFINITY EK FROM 188.65.113.171 - D7HOSTING.COM

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-30-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-30-Infinity-EK-malware.zip

 

CHAIN OF EVENTS

INFINITY EK:

• 02:46:03 UTC - 192.168.204.226:49210 - 188.65.113.171:80 - d7hosting.com - GET /slide/rarscanner.html
• 02:46:24 UTC - 192.168.204.226:49211 - 188.65.113.171:80 - d7hosting.com - GET /6468.swf
• 02:46:24 UTC - 192.168.204.226:49212 - 188.65.113.171:80 - d7hosting.com - GET /1581.xap
• 02:46:40 UTC - 192.168.204.226:49213 - 188.65.113.171:80 - d7hosting.com - GET /55.mp3?rnd=26518
• 02:46:55 UTC - 192.168.204.226:49214 - 188.65.113.171:80 - d7hosting.com - GET /55.mp3?rnd=69155
• 02:47:14 UTC - 192.168.204.226:49216 - 188.65.113.171:80 - d7hosting.com - GET /37521495.mp3?rnd=43805

POST-INFECTION TRAFFIC:

• 02:47:20 UTC - 192.168.204.226:57733 - 192.168.204.2:53 - Standard query 0x1848 - A fargocrafts2.com
• 02:47:20 UTC - 192.168.204.2:53 - 192.168.204.226:57733 - Standard query response 0x1848 - A 185.4.64.84
• 02:47:21 UTC - 192.168.204.226:49217 - 185.4.64.84:443 - HTTPS traffic to fargocrafts2.com
• 02:47:25 UTC - 192.168.204.226:49219 - 185.4.64.84:443 - HTTPS traffic to fargocrafts2.com

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-30-Infinity-EK-flash-exploit.swf
File size:  4.0 KB ( 4084 bytes )
MD5 hash:  368bf49f08111c32fed060a61ba87bac
Detection ratio:  0 / 54
First submission:  2014-06-11 17:05:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c0c66afb9d90192c172ee6b9368e2c6425cff1bf02bdf426064b889646d7af4/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-30-Infinity-EK-silverlight-exploit.xap
File size:  12.3 KB ( 12580 bytes )
MD5 hash:  13110267b2764269c5e064cab95dca0c
Detection ratio:  0 / 54
First submission:  2014-06-28 13:21:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81c0bca7a6b8a2ac5d5a08cd32620ac93d1b478e9d6bd5385a455e1d57dcc6c8/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-30-Infinity-EK-malware-payload.exe
File size:  231.8 KB ( 237332 bytes )
MD5 hash:  42fa88a8a004de2edeb088f2713b78e5
Detection ratio:  3 / 54
First submission:  2014-06-30 03:07:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c25e174a4a74ceb540fdea97200a0f3e2a7710686d9623412d419a849b88e278/analysis/
Malwr link:  https://malwr.com/analysis/OTM5NTFiMTNhNDVlNGYyODg5ZGExNmZkMmQ5YjVlZTE/

 

SNORT EVENTS

These Snort events were taken from Sguil on Security Onion using the default Emerging Threats rule set.  This list does not include the ET INFO or ET POLICY rules.

• 188.65.113.171:80 - 192.168.204.226:49210 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (sid:2018440)
• 192.168.204.226:49212 - 188.65.113.171:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 192.168.204.226:49213 - 188.65.113.171:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (sid:2017998)
• 188.65.113.171:80 - 192.168.204.226:49213 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 185.4.64.84:443 - 192.168.204.226:49217 - ET TROJAN Self-Signed Cert Observed in Various Zbot Strains (sid:2018284)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-30-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-30-Infinity-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.