Malware-Traffic-Analysis.net - 2014-08-24

2014-08-24 - FIESTA EK FROM 64.202.116[.]154 - SBZRSVI.DDNSKING[.]COM

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES:

This is a quick blog entry to show the latest change in Zemot/Rerdom callback domains.
I wasn't able to grab the Fiesta EK malware payload from the infected VM, and this traffic has the same exploits from my previous blog entry on Fiesta.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

64.202.116[.]154 - sbzrsvi.ddnsking[.]com - Fiesta EK
181.136.220[.]15 - from-gunergs[.]ru - Zemot/Rerdom callback traffic
108.23.26[.]2 and 109.184.189[.]158 - oak-tureght[.]ru - Zemot/Rerdom callback traffic
96.248.32[.]30 - triple-bow[.]su - Zemot/Rerdom callback traffic
208.76.172[.]96 - additional callback on port 8080 = Zemot/Rerdom callback traffic

FIESTA EK:

01:06:53 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/counter.php?id=2
01:06:54 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/?2
01:06:55 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/4e1bda0d23296b4047125759565a0557045709595003005f0156575b57585100;112202;228
01:06:55 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/4749b1392c835ee95d525802500a060a04050c0256530302010452005108525d
01:06:55 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/282f12bafdf0dd564154445d03095752020a0a5d0550525a070b545f020b0305;4060129
01:06:56 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/185f144b0ff73ba45d51575d030f0151010a0d5d05560459040b535f020d5506;910
01:06:56 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/0471ebb1d8315d1353445c0a5759570200060f0a5100520a05075108565b0355;6
01:06:57 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/0471ebb1d8315d1353445c0a5759570200060f0a5100520a05075108565b0355;6;1
01:06:59 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/11ae487faf366d8552410a5e060302550103595e005a075d0402075c07015603;4
01:07:01 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/11ae487faf366d8552410a5e060302550103595e005a075d0402075c07015603;4;1
01:07:09 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/3e5fb71ad8315d1350155e5d500c045203570d5d5655015a0656535f510e5005;5
01:07:10 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/3e5fb71ad8315d1350155e5d500c045203570d5d5655015a0656535f510e5005;5;1
01:07:10 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/284dd5007b8fad75534a555f560e0503020a0c5f5057000b070b525d570c5154
01:07:12 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/7bc84be0133a62b5541a06030659500307505b030000550b02510501075b0454;1;2
01:07:16 UTC - sbzrsvi.ddnsking[.]com - GET /xfb65iy/7bc84be0133a62b5541a06030659500307505b030000550b02510501075b0454;1;2;1

POST-INFECTION TRAFFIC:

01:06:58 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:00 UTC - 109.184.189[.]158:80 - oak-tureght[.]ru - GET /mod_articles-auth9565.6595/jquery/
01:07:01 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:02 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:03 UTC - 109.184.189[.]158:80 - oak-tureght[.]ru - GET /mod_articles-auth9565.6595/jquery/
01:07:10 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:15 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:16 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:17 UTC - 109.184.189[.]158:80 - oak-tureght[.]ru - GET /mod_articles-auth9565.6595/jquery/
01:07:18 UTC - 181.136.220[.]15:80 - from-gunergs[.]ru - GET /b/shoe/54613
01:07:20 UTC - 109.184.189[.]158:80 - oak-tureght[.]ru - GET /mod_articles-auth9565.6595/jquery/
01:08:16 UTC - 108.23.26[.]2:80 - oak-tureght[.]ru - GET /mod_jshoppi-deny6328.4569/soft64.dll
01:08:19 UTC - 96.248.32[.]30:80 - triple-bow[.]su - GET /b/eve/5d8bcdd89299304f5888aecf
01:09:19 UTC - 96.248.32[.]30:80 - triple-bow[.]su - POST /b/opt/1F1D3DA5F8AB79C137B98456
01:09:20 UTC - 96.248.32[.]30:80 - triple-bow[.]su - GET /b/letr/C336920B7141B5C1BE534856
01:09:20 UTC - 208.76.172[.]96:8080 - 208.76.172[.]96:8080 - POST /b/opt/9E10807CEA289B06253A6691
01:09:30 UTC - 208.76.172[.]96:8080 - 208.76.172[.]96:8080 - POST /b/opt/C2EF17BF16E43738D9F6CAAF
01:09:48 UTC - 208.76.172[.]96:8080 - 208.76.172[.]96:8080 - POST /b/req/F49CD52404776EEECB659379
01:10:49 UTC - 208.76.172[.]96:8080 - 208.76.172[.]96:8080 - POST /b/req/F49CD52404776EEECB659379

PRELIMINARY MALWARE ANALYSIS

RERDOM EXAMPLE:

File name: UpdateFlashPlayer_e96b6afc.exe
File size: 159,744 bytes
MD5 hash: b97c14f436a08dfeb8a5fd3cd330b0a5
Detection ratio: 7 / 55
First submission: 2014-08-24 02:17:16 UTC
VirusTotal link: https://www.virustotal.com/en/file/9416efc91239accf7bef876a00e547a77b5170d5982969f1e08560eb622f169a/analysis/

SNORT EVENTS FOR THE POST-INFECTION TRAFFIC

Post-infection signature hits from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):

ET TROJAN Win32/Zemot Checkin (sid:2018643)
ET TROJAN Win32/Zemot Checkin (sid:2018644)
ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
ET TROJAN Win32/Zemot Config Download (sid:2018661)
ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid:2018914)
GPL SHELLCODE x86 NOOP (sid:648)

Post-infection signature hits from the Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

[1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
[1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
[1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
[1:648:14] INDICATOR-SHELLCODE x86 NOOP
[1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
[1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority

Click here to return to the main page.