2014-08-21 - FLASHPACK EK - 178.79.153.5 (LIFEGADON.AMI-CRED.COM.AR) & 85.159.214.193 (PROSUHEL.FIVEHOKIES.COM)

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT - FIRST RUN:

FLASHPACK EK - FIRST RUN:

 

COMPROMISED WEBSITE AND REDIRECT - SECOND RUN:

FLASHPACK EK - SECOND RUN:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS:

File name:  2014-08-21-FlashPack-EK-flash-exploit-first-run-1-of-3.swf
File name:  2014-08-21-FlashPack-EK-flash-exploit-second-run-1-of-2.swf
File size:  8.2 KB ( 8396 bytes )
MD5 hash:  4bcff12446b61f6c7ba7ba0fdcf9b33e
Detection ratio:  7 / 55
First submission:  2014-08-11 13:39:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cd01023dd60906ae0ab41be212b6d5b657b44f4bed55fd7cf5d9d5897f4d5520/analysis/
File name:  2014-08-21-FlashPack-EK-flash-exploit-first-run-2-of-3.swf
File size:  9.3 KB ( 9563 bytes )
MD5 hash:  e752688cabd3647591790729b5f13128
Detection ratio:  5 / 54
First submission:  2014-08-11 13:39:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/392645985008ba54fb3d1bb6161f728e95b7bb2762699d680fcbe70be02578f1/analysis/
File name:  2014-08-21-FlashPack-EK-flash-exploit-first-run-3-of-3.swf
File size:  30.8 KB ( 31561 bytes )
MD5 hash:  addf1b50218673c6656f516915a84f26
Detection ratio:  4 / 55
First submission:  2014-08-11 13:39:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/45fd4a3d15fc76b930caa50c5c46fb6c6c896a1fb8e07e75dbbf8b9804fd8617/analysis/
File name:  2014-08-21-FlashPack-EK-flash-exploit-second-run-2-of-2.swf
File size:  8.8 KB ( 8966 bytes )
MD5 hash:  452732ee6b7563ea211ba25e5506fb67
Detection ratio:  5 / 54
First submission:  2014-08-16 08:00:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/add2dd0e4891d9a48746393c14ea327c7eee5b93a3915198a8ca56a534574879/analysis/

 

JAVA EXPLOIT (SEEN IN SECOND RUN):

File name:  2014-08-21-FlashPack-EK-java-exploit.jar
File size:  20.1 KB ( 20585 bytes )
MD5 hash:  ee6deeeee7a51d7b62f9d5d174eb32c0
Detection ratio:  14 / 55
First submission:  2014-06-28 15:47:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0ca7cd825ee9b7805b006d6a45429ed3db15970f25186784f91559f460fb707a/analysis/

 

MALWARE PAYLOAD (BOTH FIRST AND SECOND RUN):

File name:  2014-08-21-FlashPack-EK-malware-payload.exe
File size:  80.0 KB ( 81920 bytes )
MD5 hash:  58e8cf7086def6f0f3ab9c24dd73de76
Detection ratio:  4 / 55
First submission:  2014-08-21 10:45:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/71b773f76644c623a3e78e225729f3c529a96b631b476ba435c1038bd5ac373d/analysis/

 

SNORT EVENTS - FIRST RUN

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS - SECOND RUN

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to FlachPack EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.