2014-08-11 - PORN-RELATED SUBDOMAINS OF SOURCEFORGE.NET LEAD TO FLASHPACK EK

ASSOCIATED FILES:

NOTES:

site:sourceforge.net nude tube fake
[random characters].sourceforge.net/[random characters][2-digit number].html
or:
[random characters].sourceforge.net/[2-digit number].html

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

FLASHPACK EK:

NOTE:  a .jar file was sent in reply to the last HTTP GET request; however, I could not extract it from the PCAP.

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT 1 OF 3

File name:  1fc0bb.swf
File size:  30.8 KB ( 31561 bytes )
MD5 hash:  addf1b50218673c6656f516915a84f26
Detection ratio:  0 / 52
First submission:  2014-08-11 13:39:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/45fd4a3d15fc76b930caa50c5c46fb6c6c896a1fb8e07e75dbbf8b9804fd8617/analysis/

 

FLASH EXPLOIT 2 OF 3

File name:  a156d81.swf
File size:  8.2 KB ( 8396 bytes )
MD5 hash:  4bcff12446b61f6c7ba7ba0fdcf9b33e
Detection ratio:  1 / 43
First submission:  2014-08-11 13:39:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cd01023dd60906ae0ab41be212b6d5b657b44f4bed55fd7cf5d9d5897f4d5520/analysis/

 

FLASH EXPLOIT 3 OF 3

File name:  b29d5.swf
File size:  9.3 KB ( 9563 bytes )
MD5 hash:  e752688cabd3647591790729b5f13128
Detection ratio:  1 / 53
First submission:  2014-08-11 13:39:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/392645985008ba54fb3d1bb6161f728e95b7bb2762699d680fcbe70be02578f1/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-11-FlashPack-EK-malware-payload.exe
File size:  73.4 KB ( 75139 bytes )
MD5 hash:  e51be47fdf68be5b2b283ea07c3c6394
Detection ratio:  3 / 53
First submission:  2014-08-11 13:40:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/501ee698d66b20cb9a93f340577410cfde7167cff75b676d9343e36f19b0e7b3/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.