2014-05-06 - FLASHPACK EK FROM 89.121.252.70 - LCHHMBA.COM

ASSOCIATED FILES:

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

 

CHAIN OF EVENTS

FLASHPACK EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-06-FlashPack-EK-java-exploit.jar
File size:  10.2 KB ( 10408 bytes )
MD5 hash:  ad97fb241a7f8ec33d36a7735e5693d7
Detection ratio:  5 / 52
First submission:  2014-05-06 05:54:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35e59f62804e8fe688c6536ce0007f7cf8b65dc7924fc6531b6b5d87603664f1/analysis/

 

SILVERLIGHT EXPLOIT (SENT AS FIRST .EOT FILE)

File name:  2014-05-06-FlashPack-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22319 bytes )
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  30 / 52
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

FIRST MALWARE FILE NOTED (SENT AS SECOND .EOT FILE)

File name:  2014-05-06-FlashPack-EK-malware-01.dll
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  2ecd2f198f4c2ef219c7c20f07213c1a
Detection ratio:  3 / 52
First submission:  2014-05-06 05:58:35 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9481f5aef96d811fd497bc9cfd579419bec035771c0ffc181f794dd9fabb819d/analysis/
Malwr link:  https://malwr.com/analysis/YjUyYzM5NmYyYzMzNGIxYWJhMDg2ZDNjNGViMTkxYzE/

 

MALWARE PAYLOAD

File name:  2014-05-06-FlashPack-EK-malware-payload.exe
File size:  104.4 KB ( 106937 bytes )
MD5 hash:  4e59aff2917f5185573624260853d73d
Detection ratio:  4 / 52
First submission:  2014-05-06 05:55:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b18b10d43482e1eae6c51fab4c15b42e76a72555f3545a3412a2b69c217e08cf/analysis/
Malwr link:  https://malwr.com/analysis/ZDMxMjk3ZWFhYjRkNGFkMmE2ODdhMTk4ZDE0MWU1ODg/

 

LAST MALWARE DOWNLOADED

File name:  2014-05-06-FlashPack-EK-post-infection-malware.exe
File size:  149.9 KB ( 153510 bytes )
MD5 hash:  a3cfa670cd32cce347cea317f5c23f89
Detection ratio:  11 / 52
First submission:  2014-05-06 05:59:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6d701353be6799ff518f6f3bde9edb3304d688341f854705af10b5024f0fc79/analysis/
Malwr link:  https://malwr.com/analysis/YjgxZjUzODM4YzNjNDg3OTg4YzAwNjJlOWU1N2M5YWQ/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.