2014-06-23 - FLASHPACK EK FROM 46.21.159.163

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT:

SUCCESSFUL INFECTION - IE 8 ONLY - CVE-2013-2551 EXPLOIT - FIRST RUN:

SUCCESSFUL INFECTION - IE 8 ONLY - CVE-2013-2551 EXPLOIT - SECOND RUN:

NO INFECTION - IE 10 WITH UP-TO-DATE JAVA (7 UPDATE 60) AND UP-TO-DATE FLASH (14.0.0.125):

SUCCESSFUL INFECTION - IE 11 WITH OUT-OF-DATE JAVA (7 UPDATE 21) AND OUT-OF-DATE FLASH (12.0.0.38):

NOTE:  Lines marked [!] are where the malware payload was delivered.

EXAMPLE OF POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH FILES NOTED:

 

JAVA EXPLOIT (SAME AS LAST WEEK):

File name:  2014-06-23-FlashPack-EK-java-exploit.jar
File size:  9.7 KB ( 9975 bytes )
MD5 hash:  565455c6f073356edcafa56763550e3a
Detection ratio:  6 / 54
First submission:  2014-06-16 17:49:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f3ffe3750c49e5600af1adfb9c64b17195b330be26ff868f04e3a0aa3448a553/analysis/

 

MALWARE PAYLOAD:

File name:  2014-06-23-FlashPack-EK-malware-payload.exe
File size:  97.0 KB ( 99328 bytes )
MD5 hash:  bceb0c2fc290e456f2e63282bc7d2271
Detection ratio:  3 / 54
First submission:  2014-06-23 19:31:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4091d335b5ad0340357173a28ee7006a430a406e6be8aafd65d739cf6d52a588/analysis/
Malwr link:  https://malwr.com/analysis/MDdjMTM2ZTIwOGNmNDUzNGE5ZWQzMmQzNTg4MDg0N2Q/

 

SNORT EVENTS - IE 8 INFECTION

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS - IE 11 INFECTION

 

SCREENSHOTS OF THE TRAFFIC

Embedded javascript in page from compromised website:

 

Redirect pointing to FlashPack EK:

 

FlashPack EK delivers payload on VM running only IE 8 (after sending CVE-2013-2551 exploit):

 

FlashPack EK delivers payload on VM running IE 11 after Flash exploit:

 

FlashPack EK delivers same payload again on the same VM running IE 11 after Java exploit:

 

Here's the Flash exploit sent for the failed infection attempt on the IE 10 VM with up-to-date Flash and Java:

 

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.