2014-04-03 - FLASHPACK EK

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

NOTE: I've only included traffic from the FlashPack exploit IP address, 78.157.209.194 (UK).  More details on the traffic can be found in my blog entry on 2014-03-29.

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-03-FlashPack-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22319 bytes )
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  12 / 51
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

JAVA EXPLOIT

File name:  2014-04-03-FlashPack-EK-java-exploit.jar
File size:  9.5 KB ( 9690 bytes )
MD5 hash:  e5c7b0714c4735d4df40d55f9d73cbb1
Detection ratio:  11 / 50
First submission:  2014-03-06 17:37:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e918479fc7a46f45a65d3726eae336a6b6d3c4b9b13906d2dcf7ca96ab2e02d/analysis/

 

MALWARE PAYLOAD 1 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-01.exe
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  a4c18f703474076b0fa51adf0b773924
Detection ratio:  4 / 51
First submission:  2014-04-03 18:37:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fb09d8d7dc29c034a2d7a95bac45cbfaddb72200e30e6c2756f30a7fb2d83570/analysis/
Malwr link:  https://malwr.com/analysis/YTM4MTc5MDM1ZjNiNDMyNzkwNTI4MWRkMjg4MDQ2Mjg/

 

MALWARE PAYLOAD 2 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-02.exe
File size:  90.4 KB ( 92539 bytes )
MD5 hash:  e473d28c8f8f7718c802396d49cc7e42
Detection ratio:  10 / 51
First submission:  2014-04-03 18:37:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81fdd1088c2f50e309f363c557886cfb6d56783b438e181b34dedd121e1e1702/analysis/
Malwr link:  https://malwr.com/analysis/ZWU0OGFlMDA4NTJkNGIwN2FiMmE3MzhjNjBiNWYwNzM/

 

MALWARE PAYLOAD 3 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-03.exe
File size:  139.0 KB ( 142353 bytes )
MD5 hash:  eaa1d52d4048153c442586df897cb594
Detection ratio:  13 / 51
First submission:  2014-04-03 18:38:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7075af4eb2c5c4afce8be65467474b9cf844d8628cc15ba26d1a06a1932a754f/analysis/
Malwr link:  https://malwr.com/analysis/MjI0MDUxODYwMjNlNDA4Njk0MzdiNDllN2QwMGU1ZGU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.