2014-04-12 - FLASHPACK EK FROM 176.102.37.55 - KLIFTPRES.COM - MSIE/JAVA/FLASH EXPLOITS

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECT

FLASHPACK EXPLOIT KIT

NOTE: Lines with ** indicate the exploits to be used.   msie.php is for the CVE-2014-0322 MSIE exploit, java.php is for a Java exploit, and flash.php is for the Flash exploit.  In this case, only one EXE payload was seen, and it was delivered by the Java exploit.

POST-INFECTION CALLBACK SEEN

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-04-12-FlashPack-EK-flash-exploit.swf
File size:  7.1 KB ( 7234 bytes )
MD5 hash:  1e8106124d101c8db9fd0ed665b92d4b
Detection ratio:  6 / 51
First submission:  2014-03-06 17:37:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c45e373b4da129ae711bdf3844dd08384b4229a3bb348d84f2dd13f610d65988/analysis/

 

JAVA EXPLOIT

File name:  2014-04-12-FlashPack-EK-java-exploit.jar
File size:  9.5 KB ( 9690 bytes )
MD5 hash:  e5c7b0714c4735d4df40d55f9d73cbb1
Detection ratio:  13 / 51
First submission:  2014-03-06 17:37:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e918479fc7a46f45a65d3726eae336a6b6d3c4b9b13906d2dcf7ca96ab2e02d/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-12-FlashPack-EK-malware-payload.exe
File size:  165.7 KB ( 169632 bytes )
MD5 hash:  572cf584eef6896b26a76cf13a8aed6b
Detection ratio:  6 / 51
First submission:  2014-04-12 05:47:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c350462eaf6c24d035c36765e51e0bce591e547658e2d863161ce11ae477f4c/analysis/
Malwr link:  https://malwr.com/analysis/NWU5NzE3NjQ5NzMxNDI2Y2JiYmVlNGRmMzczY2ZjOGU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

Flash exploit chain (not completed):

 

Flash-assisted MSIE exploit chain (not completed):

 

Java exploit chain (delivered EXE):

 

Post-infection callback traffic seen from the infected VM:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.