2014-05-14 - TODAY'S FAKE FLASH UPDATER HOSTED ON MICROSOFT ONEDRIVE

ASSOCIATED FILES:

 

MICROSOFT ONEDIRVE IP ADDRESSES SEEN HOSTING TODAY'S MALWARE:

 

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

TODAY'S TRAFFIC EXAMPLES

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.allmemories.com.ar --> estudiobonzo.com.ar --> rvok3w.by3301.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
excelhost.com.au --> glasgowminibuses.co.uk --> rvok3w.bay.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.abbruch-schille.de --> johnsoncontracting.org --> rvok3w.bay.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
freezeengineers.co.in --> 85.214.64.33 --> rvok3w.bay.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.studio-creatief.nl --> bair.com.ua --> rvok3w.bay.livefilestore.com

HTTPS link from fake Flash updater notice:

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.tamerhosny.ws --> www.viscure.eu --> rvok3w.bay.livefilestore.com

 

compromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
hbo.gr --> collectiveintelligence.net --> rvok3w.bay.livefilestore.com

HTTPS link from fake Flash updater notice:

 

PRELIMINARY MALWARE ANALYSIS

File name:  FlashUpdater60598.exe
File size:  178.3 KB ( 182616 bytes )
MD5 hash:  f5af9d1881cf5470121bb994ea95ed9c
Detection ratio:  9 / 43
First submission:  2014-05-13 14:03:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/132e6e1ef6d011d05da6f033498121bbe926cfa6ede1e69f4131684944fbe455/analysis/
Malwr link:  https://malwr.com/analysis/NzcwYzhlYjA5YWM5NDNhYTkwYmUzMThhYTQ4YjQ2Yzc/

 

TRAFFIC FROM SANDBOX ANALYSIS

 

SNORT EVENTS

EXAMPLE OF SNORT EVENTS FOR THE TRAFFIC (from Sguil on Security Onion)

 

SNORT EVENTS FROM THE SANDBOX ANALYSIS

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.