ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FLASHPACK EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS:

File name:  2014-07-23-FlashPack-EK-flash-exploit-01.swf
File size:  8.2 KB ( 8387 bytes )
MD5 hash:  7d24428037f9dbf5a5c93e87640ba171
Detection ratio:  2 / 52
First submission:  2014-07-18 01:58:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ccbb1670756811d550f4f624e036c61898a0f2b99418adae01f48584a819160c/analysis/

File name:  2014-07-23-FlashPack-EK-flash-exploit-02.swf
File size:  8.9 KB ( 9079 bytes )
MD5 hash:  b4015d0ab77c92881691d60cdf1cc69c
Detection ratio:  0 / 53
First submission:  2014-07-24 00:49:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ccbb1670756811d550f4f624e036c61898a0f2b99418adae01f48584a819160c/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-23-FlashPack-EK-malware-payload.exe
File size:  79.7 KB ( 81639 bytes )
MD5 hash:  d67be8ace8999067e95322990a71c3b2
Detection ratio:  27 / 53
First submission:  2014-07-23 02:04:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/20786294a971bb33527e8444c86233078c242f1dbb00334fe2d9df59aa8de62b/analysis/
Malwr link:  https://malwr.com/analysis/MTJlMTg0Y2U4ZDhhNDhmOTgyYWU1MzVlZjdiN2E2YTQ/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

TRAFFIC LEADING TO FLASHPACK EK

apps.emol.com/bt/rdb.pram.v1.js?0.7233000217373398

 

apps.emol.com/social/geo/lookup.js?0.5267611857696085?callback=json1406079977174

 

ae6t91t1amist11vbnbrux7535453e0a0c09589142bb43a6ef699596.1911censusuk.net/index2.php

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.