2014-07-18 - FLASHPACK EK FROM 88.80.186.247 - PISTOLEOR.TUSTILO.COM.AR

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FLASHPACK EK:

NOTE:  [!] shows where the malware payload was delivered.

 

PRELIMINARY MALWARE ANALYSIS

FLASH FILE 1 OF 3:

File name:  32f79a11.swf
File size:  24.1 KB ( 24716 bytes )
MD5 hash:  7c2eda24dde273296164a3ff22b68b33
Detection ratio:  2 / 53
First submission:  2014-07-11 22:59:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ab19fe50198888d1f9a97066a138a5472604e618d9bb88dd66081348f770f3bf/analysis/

 

FLASH FILE 2 OF 3:

File name:  ee2fb77.swf
File size:  8.2 KB ( 8387 bytes )
MD5 hash:  7d24428037f9dbf5a5c93e87640ba171
Detection ratio:  0 / 54
First submission:  2014-07-18 01:58:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c7688f16d38ab4ac8bdea19a9eae890d6aaaa29b01c1007c1a6fc1e3031e3b51/analysis/

 

FLASH FILE 3 OF 3:

File name:  f2103.swf
File size:  28.7 KB ( 29384 bytes )
MD5 hash:  160cb833072ff661a653a688ce50e251
Detection ratio:  0 / 54
First submission:  2014-07-18 01:58:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9e412340a0fc114687917086d99147bb01188b6e815204e5fd6ee13502f810f4/analysis/

 

JAVA EXPLOIT:

File name:  dacff06.jar
File size:  29.5 KB ( 30256 bytes )
MD5 hash:  6937c8c52866b3534bba8d3a4a4f5bd0
Detection ratio:  13 / 53
First submission:  2014-07-14 07:32:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c66ae3f4f5ae8cd438377021a316fe1752631276a0bc24cf827bece8497f9918/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-18-FlashPack-EK-malware-pyaload.exe
File size:  156.5 KB ( 160256 bytes )
MD5 hash:  392e3285be49ce3ba1ba9f544fdca9cb
Detection ratio:  18 / 54
First submission:  2014-07-17 12:02:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0f400ecafb0130bec2dbdb02265595e4c5e8399f664bf5c367784e962ff93604/analysis/
Malwr link:  https://malwr.com/analysis/NWNjYmRiMmQzMThjNDNkYzk3ZDA2MTZiNGNmYzRmN2I/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including the ET INFO or ET POLICY sigantures):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

NOTE: These Snort events were taken

 

SCREENSHOTS FROM THE TRAFFIC

Malicious iframe after the closing HTML tag from the comrpomised website:

 

Redirect pointing to the landing page for FlashPack EK:

 

Landing page for FlashPack EK:

 

HTTP GET reqeusts for the 3 different Flash exploits seen in this traffic:

 

FlashPack EK sends the CVE-2013-2551 MSIE exploit:

 

FlashPack EK sends the Java exploit:

 

FlashPack EK sends the malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.