2014-07-02 - FAKE FLASH INSTALLER HOSTED ON - 191.238.33.50 - UPDATE1.AZUREWEBSITES.NET

ASSOCIATED FILES:

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

 

 

TODAY'S TRAFFIC EXAMPLE

compromised website --> fake Flash updater notice --> site hosting the malware
www.martinsolveig.com --> jrk.com.pl --> update1.azurewebsites.net

 

TRAFFIC FROM SANDBOX ANALYSIS OF THE MALWARE

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH INSTALLER:

File name:  FlashSetup.exe
File size:  148.3 KB ( 151888 bytes )
MD5 hash:  7e1024c3e45d7bd2ade7b4735215b739
Detection ratio:  3 / 52
First submission:  2014-07-01 15:10:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e19ec207ac169988de32d9b0f0276f621b536ec43cb0606833edab17de8481b9/analysis/1404261061/
Malwr link:  https://malwr.com/analysis/MjQ4ODAwMDI5YWZlNDgzNzgyNjI3MDllZGJmNWFkNmQ/

 

FOLLOW-UP MALWARE 1 OF 2

File name:  gotaninu.exe
File size:  128.0 KB ( 131072 bytes )
MD5 hash:  92e4ae6c8bf54538ec9f9fdeb503b595
Detection ratio:  2 / 54
First submission:  2014-07-02 00:49:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c09d81ff7c97c41c43bad4bd2fe38f94afa7e2ac995a7a37bd16011e70eb3e6f/analysis/1404262159/
Malwr link:  https://malwr.com/analysis/MWRiZDgzMzFlM2EyNGFkMmJkNWU2ZWQyZjcxNzU3NzI/

 

FOLLOW-UP MALWARE 2 OF 2

File name:  voretuke.exe
File size:  681.5 KB ( 697856 bytes )
MD5 hash:  50bcf4e85001e6a23c096784379f3793
Detection ratio:  14 / 54
First submission:  2014-07-02 00:49:35 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2cb127cf8e9591586ae213c9217009a47d4463b6e2bd212279a3f49cbca5b462/analysis/1404262175/
Malwr link:  https://malwr.com/analysis/ODMwNTgxNDIxZGQ2NGEyN2IxMGM3YTc0MWFkNWU3ODA/

 

SNORT EVENTS

SNORT EVENTS FROM INITIAL MALWARE DOWNLOAD:

This Snort event came from the initial malware download taken from Sguil on Security Onion

 

SNORT EVENTS FROM SANDBOX ANALYSIS OF THE MALWARE:

I used tcpreplay on the Malwr.com sandbox analysis PCAP in Security Onion; however, I got several errors like:  Warning: Unable to send packet: Error with PF_PACKET send() [423]: Message too long (errno = 90).  I read the PCAP with Snort using the same rulesets on an Ubuntu setup (I couldn't figure out where the Snort alert file is on Security Onion).

Emerging Threats and ETPRO rulesets:

Sourcefire VRT ruleset:

 

SCREENSHOTS FROM THE TRAFFIC

Javascript from www.martinsolveig.com pointing to the fake Flash notification on jrk.com.pl:

 

Link from jrk.com.pl for the fake Flash installer malware download from update1.azurewebsites.net:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.