2014-05-03 - ANOTHER FAKE FLASH UPDATER HOSTED ON MICRSOFT ONEDRIVE

PCAP AND MALWARE:

MY PREVIOUS BLOG ENTRIES ON THIS CAMPAIGN:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

SANDBOX ANALYSIS TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER

File name:  FlashUpdater94309.exe
File size:  234.0 KB ( 239616 bytes )
MD5 hash:  6e477bca2eca90f8a84c35a679967562
Detection ratio:  5 / 52
First submission:  2014-05-02 22:34:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/58d6e6a26a39bb48e673993fa50dcab6c8c7bd011fa8ee5675137b0363ef82b3/analysis/

 

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (1 OF 3)

File name:  aveksynkens.exe
File size:  746.0 KB ( 763904 bytes )
MD5 hash:  86220875882e3c69629e3deb0af0dce7
Detection ratio:  2 / 52
First submission:  2014-05-03 06:42:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b930491c9dcdc82b027a0f86df7520e3fc3330a5687d3068b093df2acdfd0c79/analysis/

 

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (2 OF 3)

File name:  inexsabit.exe
File size:  92.9 KB ( 95084 bytes )
MD5 hash:  5475b6a26b191a7e897bc3ab281ee7fe
Detection ratio:  3 / 52
First submission:  2014-05-02 23:46:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8005acade3f75f8c77b71a2346902cc30eef1018016e497db07cc2281de3380d/analysis/

 

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (3 OF 3)

File name:  nukotobne.exe
File size:  87.9 KB ( 89960 bytes )
MD5 hash:  4a1d57ca7daddd5e8c20d68f65324864
Detection ratio:  8 / 52
First submission:  2014-05-03 00:39:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1026dd3dc882fc191ca291ddc5ce83f40584f633552c01b8eab0b77d2ce278b6/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SNORT EVENTS FOR THE SANDBOX ANALYSIS PCAP (using tcpreplay on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious code in web page from compromised server:

 

retenestenup.com.ar/misc/bxqm87hb.php?html=27 - Links to malware on Microsoft OneDrive:

 

First item of callback traffic:

 

More HTTP GET requests for malware:

 

Some of the other callback traffic:

 

FINAL NOTES

Once again, here are links for PCAPs and associated malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.