2014-05-11 - FLASHPACK EK FROM 82.146.41.116 - DG9SDGYKL.TRADE-E.COM

ASSOCIATED FILES:

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

FLASHPACK EK:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT (SENT AS THE FIRST EOT FILE):

File name:  2014-05-11-FlashPack-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22319 bytes )
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  30 / 52
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

ADDITIONAL MALWARE (DLL SENT AS SECOND EOT FILE AFTER THE SILVERLIGHT EXPLOIT):

File name:  2014-05-11-FlashPack-EK-additional-malware.exe
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  007dfc8dff4337b815b1625e6840328d
Detection ratio:  3 / 52
First submission:  2014-05-11 02:36:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c388dae6c503dcf4967f8efc86d3b9824bc6da16ff2aeac622fadab056ff18dd/analysis/
Malwr link:  https://malwr.com/analysis/NWU0ZDRmNGE4MmFlNDMyZjk4MzU1OTRkZDk2MjYwZGQ/


NOTE: Renamed this DLL as an EXE to show the file info.

 

JAVA EXPLOIT:

File name:  2014-05-11-FlashPack-EK-java-exploit.jar
File size:  10.2 KB ( 10408 bytes )
MD5 hash:  ad97fb241a7f8ec33d36a7735e5693d7
Detection ratio:  13 / 52
First submission:  2014-05-06 05:54:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35e59f62804e8fe688c6536ce0007f7cf8b65dc7924fc6531b6b5d87603664f1/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-11-FlashPack-EK-malware-payload.exe
File size:  92.0 KB ( 94208 bytes )
MD5 hash:  5b9c1341fd980252166b31b3f5f65825
Detection ratio:  4 / 52
First submission:  2014-05-11 05:35:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f5b425e06e1db08b45b5be1813a59c97463404376175d540d8ce0ef4bbec4144/analysis/
Malwr link:  https://malwr.com/analysis/ODJhNmU0NjRhNzJjNDBiZDkyYzBhYjQ0NzI3MTJkNmM/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

First HTTP GET request for an EOT file returns a Silverlight exploit:

 

Second HTTP GET request for an EOT file returns the additional malware--a DLL file that's XOR-ed with the ASCII character 9 along with other alterations.


I grabbed the deobfuscated DLL file from the user's AppData\Local\Temp directory.

 

First time the malware payload is sent, due to the Silverlight exploit  Note the HTTP GET request for loadsilver.php

 

Java exploit is sent:

 

Successful Java exploit returns the same malware payload a second time.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.