2014-04-17 - FLASHPACK EK FROM 178.33.85.108 - GECEKIYAFETLERI.GEN.TR

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS

Here's what was returned from the HTTP GET request for flash2014.php.  Unfortunately, this wasn't part of the infection chain for my VM.

 

The infection happened through a Silverlight exploit.  Below is a spam message sent from my infected VM--it's similar to the example in ESET's publication about Operation Windigo (link):

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.