2014-05-19 - FAKE FLASH UPDATER HOSTED ON DL.DROPBOXUSERCONTENT.COM

ASSOCIATED FILES:

NOTES:

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

TODAY'S TRAFFIC EXAMPLES

compromised website --> fake Flash updater notice --> site hosting the malware
vexpress.com.ar --> www.gesic.clt --> dl.dropboxusercontent.com

 

compromised website --> fake Flash updater notice --> site hosting the malware
www.knottednest.ca --> smartcup.com --> dl.dropboxusercontent.com

 

compromised website --> fake Flash updater notice --> site hosting the malware
www.jmnrwec.edu.in --> 97.74.250.91 --> dl.dropboxusercontent.com

 

TRAFFIC FROM FAKE FLASH UPDATER INFECTING A VM

The sandbox analysis on Malwr.com didn't show any post-infection traffic, so I ran the malware in a VM and got the following:

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER

File name:  InstallerFlash.exe
File size:  216.3 KB ( 221528 bytes )
MD5 hash:  7f97715f36faee799ced8bf5b5e6bcf7
Detection ratio:  3 / 52
First submission:  2014-05-19 12:19:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d9b17c9384504806425c33f010dcb91dd98161ab2f6e043beda13d55a15c0ebf/analysis/
Malwr link:  https://malwr.com/analysis/M2ZiMDNmYjdlYjI4NDg0YWExMDRmYjA2NzdkN2NhNGE/

 

FOLLOW-UP MALWARE 1 OF 3

File name:  agivenlike.exe
File size:  153.5 KB ( 157192 bytes )
MD5 hash:  76cc6e8d38dc4dd7fe7c39d5e6d6347c
Detection ratio:  1 / 52
First submission:  2014-05-20 01:01:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/18513e3f4cedc1905c176c7c09b8654c9b2f964fe1f07a605f8676b7e994a601/analysis/
Malwr link:  https://malwr.com/submission/status/Zjk2MDkwOGMwYjJlNDI0Mjk0YjVkNWI3YWVkZGU5NjI/ (analysis pending)

 

FOLLOW-UP MALWARE 2 OF 3

File name:  griyeacomours.exe
File size:  138.5 KB ( 141836 bytes )
MD5 hash:  e8ef066c0428f73a070cf9a5bcdfba1b
Detection ratio:  1 / 52
First submission:  2014-05-20 01:10:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8b7bd426585a9b9d114ce9f474d35c5fc6b95f094f0affbbf059199577cc371f/analysis/
Malwr link:  https://malwr.com/submission/status/MzIzY2RiM2ZlNzM4NDhlNmIwYjhlYTlmZDhlYjMxOTk/ (analysis pending)

 

FOLLOW-UP MALWARE 3 OF 3

File name:  yoshowstra.exe
File size:  514.0 KB ( 526336 bytes )
MD5 hash:  23dc2c46bd7f94703390bdee9bd4a8a2
Detection ratio:  9 / 52
First submission:  2014-05-20 01:11:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/89e1d05560f606ed74f061df6aa86f44d3bbe13d827ad6fb314023bf8a7acd77/analysis/
Malwr link:  https://malwr.com/analysis/NTVkMDIxNzhiNzEwNDc0ZmJmZTIxODAwNzRiMGI4NjQ/

 

SNORT EVENTS

PRE-INFECTION EVENTS:

EVENTS SEEN FROM RUNNING THE MALWARE IN A VM (monitored by Security Onion):

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Taken from the last example--from the comrpomised website to the fake Flash updater notification:

 

From the initial URL of the fake Flash updater notification to the next URL in the chain of events:

 

The fake Flash updater notification javascript that contains links to the malware in the DropBox account:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.