2014-06-18 - FAKE FLASH INSTALLER HOSTED ON 191.238.33.50 - UPDATEPLUGIN.AZUREWEBSITES.NET

ASSOCIATED FILES:

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

TODAY'S TRAFFIC EXAMPLE

compromised website --> fake Flash updater notice --> site hosting the malware
lapelsa.com.ar --> bolsadelavivienda.com --> updateplugin.azurewebsites.net

 

TRAFFIC FROM SANDBOX ANALYSIS OF THE MALWARE

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER:

File name:  FlashInstaller.exe
File size:  179.3 KB ( 183632 bytes )
MD5 hash:  ae9769ed150f23d1ad1089ce8d4a7a30
Detection ratio:  21 / 54
First submission:  2014-06-17 13:24:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e3be02eadc2cbe899bef97f83218212ed428454efb63f21e9b7f5bd07996654/analysis/
Malwr link:  https://malwr.com/analysis/NGM1MzA2NjY4OTExNDRjOTkwMDdlNGMyOTNlOWExNWU/

 

FOLLOW-UP MALWARE FROM MALWR.COM ANALYSIS PCAP:

 

SNORT EVENTS

SNORT EVENTS FOR THE INITIAL TRAFFIC (from Sguil on Security Onion):

 

FROM TCPREPLAY ON PCAP FROM MALWR.COM:

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website (lapelsa.com.ar):

 

First HTTP GET request to the fake Flash notification domain (bolsadelavivienda.com):

 

Second HTTP GET request to the fake Flash notification domain that contains link to the malware:

 

HTTP GET request to retrieve the fake Flash installer:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.