2014-05-17 - FAKE FLASH UPDATER HOSTED ON 23.91.112.4 - PREUD-HOMME.BE

ASSOCIATED FILES:

NOTES:

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

TODAY'S TRAFFIC EXAMPLES

compromised website --> fake Flash updater notice --> site hosting the malware
www.arendator-nk.ru --> modernmarblebh.net --> preud-homme.be

 

compromised website --> fake Flash updater notice --> site hosting the malware
www.zurklanenpfleger.at --> elpadrinopizza.cl --> preud-homme.be

 

TRAFFIC FROM SANDBOX ANALYSIS OF FAKE FLASH UPDATER

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER

File name:  FlashUpdater.exe
File size:  182.8 KB ( 187224 bytes )
MD5 hash:  c3b3985c1991782b6c868d56f7d282fc
Detection ratio:  10 / 49
First submission:  2014-05-16 10:59:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/14ae5f1d9b7ab6a18755cf1e1b4cce43eac57e299ac5b69b7780d636232f349b/analysis/
Malwr link:  https://malwr.com/analysis/NzNlZDVjYjU0OGQ4NDE1ZjgzYTFkN2MyZjM2NmUxYWY/

 

SNORT EVENTS

NOTES:

 

Pre-infection events:

Post-infection events triggered from the Sourcefire VRT signature set:

Post-infection events triggered from the Emergint Threats signature set:

 

HIGHLIGHTS FROM THE TRAFFIC

Here's a path from the compromised website to the malware download:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.