2014-07-19 - FLASHPACK EK FROM 88.80.191.252 - DUDELAKOS.ALLCARSMECHANICAL.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

FLASHPACK EK:

[!] indicates where the malware payload was delivered (the same payload 4 times).

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

NOTE: The Flash and Java exploits today are same ones seen in my blog entry on yesterday's FlashPack EK traffic ( link ).

File name:  2014-07-19-FlashPack-EK-flash-exploit-1-of-3.swf
VirusTotal link:  https://www.virustotal.com/en/file/c7688f16d38ab4ac8bdea19a9eae890d6aaaa29b01c1007c1a6fc1e3031e3b51/analysis/
File name:  2014-07-19-FlashPack-EK-flash-exploit-2-of-3.swf
VirusTotal link:  https://www.virustotal.com/en/file/9e412340a0fc114687917086d99147bb01188b6e815204e5fd6ee13502f810f4/analysis/
File name:  2014-07-19-FlashPack-EK-flash-exploit-3-of-3.swf
VirusTotal link:  https://www.virustotal.com/en/file/ab19fe50198888d1f9a97066a138a5472604e618d9bb88dd66081348f770f3bf/analysis/
File name:  2014-07-19-FlashPack-EK-java-exploit.jar
VirusTotal link:  https://www.virustotal.com/en/file/c66ae3f4f5ae8cd438377021a316fe1752631276a0bc24cf827bece8497f9918/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-19-FlashPack-EK-malware-payload.exe
File size:  78.2 KB ( 80127 bytes )
MD5 hash:  8b4229d8e153e98034cb3c9b3db716fb
Detection ratio:  8 / 53
First submission:  2014-07-19 20:15:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/764d4451a815b24079939f223d548eedf7c331966dba0d3aa91db5fb4a95560d/analysis/
Malwr link:  https://malwr.com/analysis/ZDk5YjZjNzg2YzE0NDUzYzk1ODc4MjBiNTQ3ZjQ2YTU/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

A 404 Not found response from the website includes a malicious iframe that points to the first redirect:

 

The first redirect points to the second redirect on dora-explorer.co.uk:

 

First HTTP GET request to the Cushion redirection on dora-explorer.co.uk:

 

Second HTTP GET request to the dora-explorer.co.uk domain has a base64-encoded string pointing to the FlashPack EK domain:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.