2014-04-13 - FLASHPACK EK FROM 176.102.37.55 - WEOIKCUS.ORG - JAVA EXPLOIT

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECT

FLASHPACK EXPLOIT KIT

POST-INFECTION CALLBACK SEEN

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-04-13-FlashPack-EK-java-exploit.jar
File size:  24.1 KB ( 24685 bytes )
MD5 hash:  a951a5163fc0e11194f6b766f59ba9d3
Detection ratio:  4 / 51
First submission:  2014-04-13 02:51:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dbceb86e0e0abbbd5fc8792d41531e78127c13e855fb7ecf45416ef29a9ac3a5/analysis/1

 

MALWARE PAYLOAD

File name:  2014-04-13-FlashPack-EK-malware-payload.exe
File size:  176.4 KB ( 180662 bytes )
MD5 hash:  d8de2acdabc568ad18f11cbae6b6d042
Detection ratio:  7 / 51
First submission:  2014-04-13 02:51:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fab023590690785f359157910d0feee00cde9f5917711ca4c74c69e426eda9bf/analysis/
Malwr link:  https://malwr.com/analysis/YjNmMTNjOWNmNTk4NDYwYzlkMjhiODdiNzRiNGYzZGQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

Java exploit:

 

Malware payload:

 

Post-infection callback traffic from the infected VM:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.