2014-08-30 - FLASHPACK EK FROM 188.40.249.74 - VBSAIORD.ARM.EE

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

FLASHPACK EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-30-FlashPack-EK-flash-exploit.swf
File size:  43.1 KB ( 44162 bytes )
MD5 hash:  18e848c5bcfdc2a0c4c8f254b1c4ca7c
Detection ratio:  0 / 55
First submission:  2014-08-27 17:47:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97abf9ab52df2abcddea16cf7015ec4a5322ed2338e3e428baf9143b4fb63b26/analysis/

 

SECOND FLASH EXPLOIT:

File name:  2014-08-30-FlashPack-EK-second-flash-exploit.swf
File size:  20.9 KB ( 21353 bytes )
MD5 hash:  9b945f6d19061e3ff9d69ee6c4a4fd3a
Detection ratio:  1 / 47
First submission:  2014-08-27 17:46:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dd4b73c7e3b4012c5351ede3141d94915cc8db30a5a3a4b0adafee46043df520/analysis/

 

JAVA EXPLOIT:

File name:  10.5 KB ( 10743 bytes )
File size:  10.5 KB ( 10743 bytes )
MD5 hash:  b50a4ada9f11dcdf07c3bbafa7687d79
Detection ratio:  11 / 53
First submission:  2014-08-25 09:11:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c74cf5b69897ee9e74c5b11429148addbaf153643fb7be19b5dc1c872306b8d3/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-30-FlashPack-EK-malware-payload.exe
File size:  83.5 KB ( 85504 bytes )
MD5 hash:  292f86e7f4bd65c776ab8cbc2ddba75f
Detection ratio:  5 / 51
First submission:  2014-08-29 23:09:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1ad6ed631dfdbb6b6672805af793e02e471d4359e44d2100ca85fbbba6490b84/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to FlashPack EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.