2014-04-24 - FAKE FLASH UPDATE FROM 217.26.210.127 (WWW.WIZARDCOMPUTERS.RS) POINTS TO MALWARE ON MICROSOFT ONEDRIVE IP

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

NOTE: Items marked [!] returned malware

 

PRELIMINARY MALWARE ANALYSIS

INITIAL MALWARE - FAKE FLASH UPDATER

File name:  FlashUpdater.exe
File size:  118.0 KB ( 120832 bytes )
MD5 hash:  68e4b27d5e790979bccea0d8e93a5b9f
Detection ratio:  13 / 51
First submission:  2014-04-23 18:37:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d911b2072c3c67758e059012030c31b0dcb6e0248d34f365a4cf4e29b331ad9/analysis
Malwr link:  https://malwr.com/analysis/OGVkZDg1N2YwNGU4NDA3NmJhMmQyYTU3NDYxNzMxMGQ/

 

FOLLOW-UP MALWARE - 1 OF 3

File name:  2014-04-24-follow-up-malware-01.exe
File size:  108.0 KB ( 110596 bytes )
MD5 hash:  315cf0d5defe6c0327acdecae563ecfc
Detection ratio:  7 / 51
First submission:  2014-04-24 00:34:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4b7573badb96227700bc8b16574f3f4d5fa788a9d49f04655cdf909b26ac6f5b/analysis/
Malwr link:  https://malwr.com/analysis/MmVjOTkyYzYzMzY0NDk5MmFhNGFhM2JhNjIyNjI1Yjg/

 

FOLLOW-UP MALWARE - 2 OF 3

File name:  2014-04-24-follow-up-malware-02.exe
File size:  1.0 MB ( 1092608 bytes )
MD5 hash:  599d9dddd040ee1f4b38574d98ffdc78
Detection ratio:  11 / 51
First submission:  2014-04-24 06:23:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/00e6f3f97c7fe262065f7f35d95262b5267c0ce0b8f336d08d763558f40a0d86/analysis/
Malwr link:  https://malwr.com/analysis/NGEyM2Q2OTBmNDVmNDk2Mzg4MjAyYjBlNTJkMjM4N2E/

 

FOLLOW-UP MALWARE - 3 OF 3

File name:  2014-04-24-follow-up-malware-03.exe
File size:  120.0 KB ( 122880 bytes )
MD5 hash:  a0143204646ece052057a450e71f2213
Detection ratio:  5 / 51
First submission:  2014-04-24 06:24:22 UTC
VirusTotal link: 
Malwr link:  https://malwr.com/analysis/ZmY4NDBiNGM2Y2M4NGQxNWJiMDc4NjYwZGExYTkwNmI/

 

FOLLOW-UP MALWARE DELIVERED ASPROX-STYLE

File name:  UpdateFlashPlayer_5098f33b.exe
File size:  164.0 KB ( 167936 bytes )
MD5 hash:  d6a802bb37242e03142c0697160815a7
Detection ratio:  9 / 51
First submission:  2014-04-23 22:13:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ee222faf4d1dea89df6d7dc8d52fc8bc0c0527e41883fb2e658e900995666e1b/analysis/
Malwr link:  https://malwr.com/analysis/ZmIwMzlkNzA3YWMzNGU2ZTgyYzAwY2VjMzk2ZWIwZjU/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

The two HTTP GET reqeusts for Javascript files from www.truecamping.com.au either returned malicious code:

 

Or had the same malicious code appended to the end of the Javascript:

 

That malicious Javascript from www.truecamping.com.au pointed to www.wizardcomputers.rs, which generated a Flash upater popup window:

 

The link to download the fake Flash updater pointed to malware hosted on a Microsoft OneDrive IP address:

 

One of the follow-up GET requests for more malware returned a 404 Not Found.  It also had javascript that generated a Snort event for a malicious 8x8 script tag:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.