2014-05-19 - FLASHPACK EK FROM 95.154.246.90 - LEY9NBU9C4C5R3OIE3819IT.NS1.BAYANDOVMECI.COM

ASSOCIATED FILES:

NOTES:

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE:

FLASHPACK EK:

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-19-FlashPack-EK-java-exploit.jar
File size:  10.2 KB ( 10408 bytes )
MD5 hash:  ad97fb241a7f8ec33d36a7735e5693d7
Detection ratio:  14 /53
First submission:  2014-05-06 05:54:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35e59f62804e8fe688c6536ce0007f7cf8b65dc7924fc6531b6b5d87603664f1/analysis/

 

SILVERLIGHT EXPLOIT (SENT AS FIRST .EOT FILE)

File name:  2014-05-19-FlashPack-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22319 bytes )
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  32 / 52
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

FIRST MALWARE FILE NOTED (SENT AS SECOND .EOT FILE)

File name:  2014-05-19-FlashPack-EK-additional-malware.dll
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  cf2fa8cc3c623bb73f0c0b5e900caf1b
Detection ratio:  4 / 53
First submission:  2014-05-19 03:28:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/022e6fafdd99615167b44de20a70b21751748f27c4b50e9bc8425dc583f9b5b5/analysis/
Malwr link:  https://malwr.com/analysis/NjBlNDQ0MTBjMmMyNGVkYmJmNmQ2YjNlYzkxMDIwMDg/

 

MALWARE PAYLOAD

File name:  2014-05-19-FlashPack-EK-malware-payload.exe
File size:  92.3 KB ( 94514 bytes )
MD5 hash:  2c334e13dc255e9681fe6da907b94706
Detection ratio:  6 / 52
First submission:  2014-05-19 03:28:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6bd17b0439ff1605b420a866d155849d9fb140fe13ce5af9987db146e1518c95/analysis/
Malwr link:  https://malwr.com/analysis/YmE5NzYyZDA2NmVlNDhiOWE4OWNlNDQzNGZiYTgxZGM/

 

POST-INFECTION MALWARE DOWNLOADED

File name:  2014-05-19-FlashPack-EK-post-infection-malware.exe
File size:  133.3 KB ( 136536 bytes )
MD5 hash:  f5df5011d612471365edbd104862af6f
Detection ratio:  5 / 53
First submission:  2014-05-19 04:11:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d9d1f64b013750aebd7d9395143baaa662dde16c1fde656e8cba8a61ba75307/analysis/
Malwr link:  https://malwr.com/analysis/NjJlODRlMTVhOTQ5NDYxNWE2OGYyZDQ1YWI3NTkyMDI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats events:

Sourcefire VRT events:

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect from compromised web server:

 

The rest of the traffic is similar to my previous blog post on FlashPack EK dated 2014-05-11 (link).

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.