2014-05-11 - TODAY'S FAKE FLASH UPDATER HOSTED ON MICROSOFT ONEDRIVE

ASSOCIATED FILES:

 

MICROSOFT ONEDIRVE IP ADDRESSES HOSTING THE MALWARE:

 

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

NOTES:

 

TODAY'S EXAMPLES

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
go3studio.us --> www.gsflaw.de --> 1lpwjw.blu.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.uselesstalent.nl --> 27.50.96.160 --> lpwjw.bl3302.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.paleochora-rooms.gr --> www.genera-group.com --> 1lpwjw.bl3301.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
szig-gep.hu --> www.genera-group.com --> 1lpwjw.bl3302.livefilestore.com

HTTPS link from fake Flash updater notice:

 

PRELIMINARY MALWARE ANALYSIS

File name:  FlashUpdater86829.exe
File size:  254.8 KB ( 260952 bytes )
MD5 hash:  88e6335017cbc0a14a7304276971437d
Detection ratio:  7 / 52
First submission:  2014-05-11 01:50:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d73ff7e72b556daf17549bb1672229ea2c5ad0a3b3d5fb53d89b8f01cb07f6de/analysis/
Malwr link:  https://malwr.com/analysis/Yzg0YTUyMjZmODAyNDc2MTg1Y2I2OWFiYzFkYzFmNmY/

 

TRAFFIC FROM MALWR.COM SANDBOX ANALYSIS PCAP

 

SNORT EVENTS

EXAMPLE OF SNORT EVENTS FOR THE INITIAL TRAFFIC (from Sguil on Security Onion)

 

SNORT EVENTS

SNORT EVENTS FROM THE SANDBOX ANALYSIS PCAP

 

NOTE: Had some issues playing back the PCAP using tcpreplay in Security Onion.  69 out of 1144 packets failed, so I'm not sure if the list of events above is complete.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.