2014-05-29 - FLASHPACK EK FROM 37.230.117.89 - FAHHDFG.UYY95.COM

ASSOCIATED FILES:

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

 

CHAIN OF EVENTS

FAILED INFECTION PATH:

SUCCESSFUL INFECTION PATH TO FLASHPACK EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-29-FlashPack-EK-flash-exploit.swf
File size:  27.2 KB ( 27835 bytes )
MD5 hash:  712c6f1ee2c34b2990105346a7594c49
Detection ratio:  2 / 53
First submission:  2014-05-21 15:12:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ec6bced5f9d8b436cb00bfbf1710df65b60774ca086196472c66d76c45ac7c9b/analysis/

File name:  2014-05-29-FlashPack-EK-flash-exploit-uncompressed.swf
File size:  41.2 KB ( 42235 bytes )
MD5 hash:  951ab1bd44b0a7037d37e948403319ac
Detection ratio:  1 / 53
First submission:  2014-05-29 07:31:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d0bc873a873c17bcb85191aa15d8a04ec2b2448f6a37c8899d4abb6c871f7bdd/analysis/

 

JAVA EXPLOIT

File name:  2014-05-29-FlashPack-EK-java-exploit.jar
File size:  9.9 KB ( 10177 bytes )
MD5 hash:  3a3f7c0cb8915613f55be65659f5dc58
Detection ratio:  14 / 52
First submission:  2013-11-27 22:04:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e1eab121381faec86cb3762bea02d72bb899e9867ab402c06d95c55b26ccfe4a/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-29-FlashPack-EK-malware-payload.exe
File size:  87.0 KB ( 89088 bytes )
MD5 hash:  913f0d60ff4f3bb5ab1d0dccc6fbc7ee
Detection ratio:  5 / 52
First submission:  2014-05-29 07:29:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c52c23618138bc766d3c7d9c170d23a6e7ef698a1613d9339a5fdb1e690efb04/analysis/
Malwr link:  https://malwr.com/analysis/MTZmY2VjMjEyYjNhNDE0NmFlZDBlNGY2YzhjNzE0ZGE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats ruleset:

Sourcefire VRT ruleset:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious Javascript in page from compromised website:

 

Redirect:

 

FlashPack EK delivers CVE-2013-2551 MSIE exploit:

 

FlashPack EK delivers Flash exploit:

 

FlashPack EK delivers Java exploit:

 

The same EXE payload sent after each successful exploit:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.