2014-04-03 - FLASHPACK EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-04-03-FlashPack-EK-traffic.pcap.zip
• 2014-04-03-FlashPack-EK-malware.zip

NOTES:

• I checked www.tollywood.net to see if the web site was still causing .htaccess style redirects to an exploit domain and adultfriendfinder[.]com (see 2014-03-08 blog entry).  It still is.  This is the same type of FlashPack EK traffic seen on 2014-03-29 with a different IP and different hashes for the malware payloads.


• On 2014-04-11, ESET malware researcher @marc_etienne_ tweeted:  hi @malware_traffic, what you describe here is a Cdorked/Onimiki redirection landing to Glupteba.M, Cheers! https://web-assets.esetstatic.com/wls/2014/03/operation_windigo.pdf ... #windigo

 

CHAIN OF EVENTS

NOTE: I've only included traffic from the FlashPack exploit IP address, 78.157.209[.]194 (UK).  More details on the traffic can be found in my blog entry on 2014-03-29.

INFECTION CHAIN OF EVENTS

• 07:14:57 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /index.php?v=dWJna3NmPW9pJnRpbWU9MTQwNDAzMDUxMi0yMD[long string]
• 07:14:58 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /favicon.ico
• 07:14:59 UTC - dqpo63edlc6eurmpd42wbl9517653afcefa51cd4323870f9ca4bca96.forexforum.gen[.]tr - GET /index2.php
• 07:14:59 UTC - dqpo63edlc6eurmpd42wbl9517653afcefa51cd4323870f9ca4bca96.forexforum.gen[.]tr - GET /favicon.ico
• 07:15:00 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/allow.php
• 07:15:01 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/js/pd.php?id=6471706f363365646c6336657[long string]
• 07:15:07 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - POST /codex/admin/get_json.php
• 07:15:07 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/msie.php
• 07:15:07 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/silver.php
• 07:15:07 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/javadb.php
• 07:15:07 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/link2jpg/index.php
• 07:15:08 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - HEAD /codex/admin/link2jpg/34ecc.swf
• 07:15:08 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/include/9131a7b2cadc5b3940467ac89021bf7e.eot
• 07:15:09 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/link2jpg/34ecc.swf
• 07:15:12 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/link2jpg/Erido.jpg
• 07:15:12 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/include/e6ace0a62e4d537c34c20459ba31b4a7.eot
• 07:15:13 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/loadsilver.php
• 07:15:30 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/include/2ed6c74a440ea6364fe19b02e1337cee.jar
• 07:15:30 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/include/2ed6c74a440ea6364fe19b02e1337cee.jar
• 07:15:31 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /codex/admin/loaddb.php
• 07:15:31 UTC - dqpo63edlc6eurmpd42wbl9.forexforum.gen[.]tr - GET /software.php?0403071819668789

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-04-03-FlashPack-EK-silverlight-exploit.xap
File size:  22,319 bytes
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  12 / 51
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

JAVA EXPLOIT

File name:  2014-04-03-FlashPack-EK-java-exploit.jar
File size:  9,690 bytes
MD5 hash:  e5c7b0714c4735d4df40d55f9d73cbb1
Detection ratio:  11 / 50
First submission:  2014-03-06 17:37:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e918479fc7a46f45a65d3726eae336a6b6d3c4b9b13906d2dcf7ca96ab2e02d/analysis/

 

MALWARE PAYLOAD 1 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-01.exe
File size:  13,312 bytes
MD5 hash:  a4c18f703474076b0fa51adf0b773924
Detection ratio:  4 / 51
First submission:  2014-04-03 18:37:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fb09d8d7dc29c034a2d7a95bac45cbfaddb72200e30e6c2756f30a7fb2d83570/analysis/

 

MALWARE PAYLOAD 2 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-02.exe
File size:  92,539 bytes
MD5 hash:  e473d28c8f8f7718c802396d49cc7e42
Detection ratio:  10 / 51
First submission:  2014-04-03 18:37:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/81fdd1088c2f50e309f363c557886cfb6d56783b438e181b34dedd121e1e1702/analysis/

 

MALWARE PAYLOAD 3 OF 3

File name:  2014-04-03-FlashPack-EK-malware-payload-03.exe
File size:  142,353 bytes
MD5 hash:  eaa1d52d4048153c442586df897cb594
Detection ratio:  13 / 51
First submission:  2014-04-03 18:38:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7075af4eb2c5c4afce8be65467474b9cf844d8628cc15ba26d1a06a1932a754f/analysis/

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 07:14:57 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Cushion Redirection
• 07:15:07 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php
• 07:15:08 UTC - 78.157.209[.]194:80 - 192.168.204.211:49183 - ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit
• 07:15:08 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot
• 07:15:08 UTC - 78.157.209[.]194:80 - ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
• 07:15:08 UTC - 78.157.209[.]194:80 - ET WEB_CLIENT Hex Obfuscation of substr % Encoding
• 07:15:08 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing
• 07:15:08 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 3
• 07:15:09 UTC - 78.157.209[.]194:80 - ET POLICY Outdated Windows Flash Version IE
• 07:15:12 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Payload Filename Used in Various 2014-0322 Attacks
• 07:15:13 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack SilverLight Payload
• 07:15:14 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download
• 07:15:14 UTC - 78.157.209[.]194:80 - ET INFO EXE - Served Inline HTTP
• 07:15:14 UTC - 78.157.209[.]194:80 - ET POLICY PE EXE or DLL Windows file download
• 07:15:30 UTC - 78.157.209[.]194:80 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 07:15:30 UTC - 78.157.209[.]194:80 - ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii
• 07:15:30 UTC - 78.157.209[.]194:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 07:15:31 UTC - 78.157.209[.]194:80 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
• 07:15:31 UTC - 78.157.209[.]194:80 - ET POLICY Java EXE Download

 

Click here to return to the main page.