Malware-Traffic-Analysis.net - 2014-06-04

2014-06-04 - INFINITY EK FROM 173.236.152[.]199 - BCREATIVEWORKS[.]COM

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES:

The PCAP contains a failed infection attempt using IE 10, along with the successful attempt with IE 8.
The chain of events below only shows the successful IE 8 infection.

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

07:13:27 UTC - 213.5.176[.]14:80 - www.johnknightglass[.]co[.]uk - GET /
07:13:28 UTC - 87.239.158[.]34:80 - www.investinbg[.]co[.]uk - GET /count.php?id=9959892
07:13:28 UTC - 87.239.158[.]34:80 - www.investinbg[.]co[.]uk - GET /count.php?id=9959868
07:13:33 UTC - 87.239.158[.]34:80 - www.investinbg[.]co[.]uk - GET /count.php?id=9959869

INFINITY EK:

07:13:28 UTC - 173.236.152[.]199:80 - bcreativeworks[.]com - GET /_ihi_.htm
07:13:33 UTC - 173.236.152[.]199:80 - bcreativeworks[.]com - GET /9844.swf
07:13:34 UTC - 173.236.152[.]199:80 - bcreativeworks[.]com - GET /6137.xap
07:13:37 UTC - 173.236.152[.]199:80 - bcreativeworks[.]com - GET /66.mp3?rnd=90611
07:13:39 UTC - 173.236.152[.]199:80 - bcreativeworks[.]com - GET /66.mp3?rnd=34426

POST-INFECTION TRAFFIC:

FLASH EXPLOITS

File name: 2014-06-04-Infinity-EK-flash-exploit-ie8.swf
File size: 6,672 bytes
MD5 hash: 7460394d9a4feaebef0cbb41f62a452b
Detection ratio: 3 / 51
First submission: 2014-06-03 14:16:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/81973f82918199070c9208cdcfc416c481162e0d0e832e483aeb1245f2d624d5/analysis/

File name: 2014-06-04-Infinity-EK-flash-exploit-ie10.swf
File size: 6,186 bytes
MD5 hash: 8b0e41535554df698506fbd09bc6366e
Detection ratio: 1 / 51
First submission: 2014-06-04 08:08:50 UTC
VirusTotal link: https://www.virustotal.com/en/file/e3ea4b6c7c31de2e80082e817dc477ac078e74005ac393a32c100916c3ee5b86/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-06-04-Infinity-EK-silverlight-exploit.xap
File size: 15,419 bytes
MD5 hash: 933449d7357efaf47641ca505615a78d
Detection ratio: 2 / 51
First submission: 2014-05-31 16:15:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/fbd1bc67d84c8179e78ece6bf65035ad1dede3f646704432f5c6489b139cb130/analysis/

MALWARE PAYLOAD

File name: 2014-06-04-Infinity-EK-malware-payload.exe
File size: 117,760 bytes
MD5 hash: 431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio: 33 / 51
First submission: 2014-05-30 11:48:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

2014-06-04 07:13:29 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (sid:2018440)
2014-06-04 07:13:34 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
2014-06-04 07:13:37 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (sid:2017998)
2014-06-04 07:13:38 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
2014-06-04 07:13:46 UTC - 162.243.56[.]54:53 - ET CURRENT_EVENTS DNS Query Domain .bit (sid:2017645)
2014-06-04 07:14:00 UTC - 87.118.90[.]136:80 - ETPRO TROJAN Win32/Necurs Checkin 4 (sid:2808090)
2014-06-04 07:17:04 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) (sid:2017199)
2014-06-04 07:17:04 UTC - 173.236.152[.]199:80 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (sid:2017064)

2014-06-04 07:13:37 UTC - 173.236.152[.]199:80 - EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (sid:30319)
2014-06-04 07:13:38 UTC - 173.236.152[.]199:80 - EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download (sid:30934)

Malicious javascript in page from compromised website:

Redirect pointing to Infinity EK:

Click here to return to the main page.