2014-10-30 - FLASHPACK EK FROM 188.227.172.106 - KETHANLINGTORO.EU

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

EVIL EK REDIRECTOR:

 

FLASHPACK EK:

 

MALWR.COM ANALYSIS OF MALWARE PAYLOAD:

Whois shows 173.252.120.6 is registered to Facebook (link).

 

PRELIMINARY MALWARE ANALYSIS

CVE-2014-0569 FLASH EXPLOIT:

File name:  Main.swf
File size:  46.2 KB ( 47292 bytes )
MD5 hash:  93bd68ff7112244d19030d360e9b2108
Detection ratio:  4 / 54
First submission:  2014-10-28 21:12:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9af76a641b509543632504c6335e7fcf426293b6b8b4a104c109a1a76dc8efae/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-30-FlashPack-EK-malware-payload.exe
File size:  91.0 KB ( 93184 bytes )
MD5 hash:  b47f9975477c9e34888715790fef904e
Detection ratio:  5 / 53
First submission:  2014-10-30 01:58:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d3314440e36606373c67cd88f12596ea51adf3e2c22e1d0c8cff58954fed194f/analysis/
Malwr link:  https://malwr.com/analysis/NmJlOGNkMzM2MGY5NDA3YTk4NzYzNjRmNTUyNDliNGE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not includeing preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website pointing to the redirect/gate:

 

Redirect pointing to the FlashPack EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.