2014-08-22 - UNKNOWN EXPLOIT KIT FROM 76.74.157.161 - WWW.PIZZANETP.COM

PCAP AND MALWARE:

ASSOCIATED FILES:

 

NOTES:

 

UPDATE (2014-08-23):

 

UPDATE (2014-08-25):

 

CHAIN OF EVENTS

ORIGINAL REFERER:

 

REDIRECT AND EXPLOIT KIT:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT SEEN BY @JEROMESEGURA:

File name:  2014-08-22-unknown-EK-flash-exploit.swf
File size:  71.7 KB ( 73417 bytes )
MD5 hash:  ab10f5bdb8d1f9e7c7c268c5563c488a
Detection ratio:  5 / 55
First submission:  2014-08-12 17:03:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f31c557625286af01fc5dc3afa5b1cb43420cf5737d0c63a49faefb91cb387be/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-08-22-unknown-EK-silverlight-exploit.xap
File size:  52.3 KB ( 53561 bytes )
MD5 hash:  0c5993134e076a7a4a3b64bac95d4bf6
Detection ratio:  1 / 55
First submission:  2014-08-22 23:15:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2d7b321428bd172b6eeb07df4f8c723487884961da1691410e0d5b0b51151138/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-22-unknown-EK-malware-payload.dll
File size:  294.5 KB ( 301568 bytes )
MD5 hash:  34a29315c7eb1efde4658e6289c4b7e2
Detection ratio:  2 / 55
First submission:  2014-08-22 17:43:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a190900ee5bfd20e0e4e79a361905c0244a526def158a7dae72a8a81cf994b46/analysis/

NOTE:  This malware payload from my infected VM is also the same one @jeromesegura saw delivered by the Flash exploit.

 

MALWARE PAYLOAD PREVIOUSLY SEEN BY @JEROMESEGURA:

File name:  2014-08-22-unknown-EK-malware-payload-02.dll
File size:  252.0 KB ( 258048 bytes )
MD5 hash:  bbcab9a7d0154b5f5d2ffc2d012d5b2e
Detection ratio:  15 / 54
First submission:  2014-08-20 19:44:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ba9d1976118c944bc70a200a6bfd961c75bc534ec0a7e687ad7f13db403b7280/analysis/

 

FOLLOW-UP ANALYSIS

The site http://www.pizzanetp.com/ was first submitted to VirusTotal on 2014-05-31 18:12:10 UTC and currently, three AV vendors identify it as a malware site.

 

Virus Total shows suspicious URLs from www.pizzanetp.com submitted as early as 2014-06-18, with other URLs from the IP submitted as early as 2014-04-06.

 

76.74.157.161 is run by hosting provider Peer 1 Network:

NetRange:  76.74.128.0 - 76.74.255.255
CIDR:  76.74.128.0/17
NetName:  PEER1-BLK-10

OrgName:  Peer 1 Network (USA) Inc.
OrgId:  PER1
City:  New York
StateProv:  NY
OrgAbuseEmail:  abuse@peer1.net

 

The domain pizzanetp.com was registered in April 2014 through Public Domain Registry:

Domain Name:  PIZZANETP.COM
Registrar URL:  www.publicdomainregistry.com
Updated Date:  09-Jun-2014
Creation Date:  09-Apr-2014

 

The domain's registrant is is listed as having a New York address, but the POC email ends in .ru.  The other domain (the redirect on the same IP address, inpoucher.com) has the same registrant.

 

SCREENSHOTS FROM THE TRAFFIC

Redirect from the web page on www.inpoucher.com to the exploit kit domain:

 

Landing page for this exploit kit:

 

Silverlight exploit:

 

Malware payload, encrypted or otherwise obfuscated:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.