2014-04-29 - TODAY'S FAKE FLASH UPDATER HOSTED ON MICROSOFT ONEDRIVE

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-29-fake-flash-updater-all-pcaps.zip
• ZIP file of the malware:  2014-04-29-fake-flash-updater-malware.zip

 

MICROSOFT ONEDIRVE IP ADDRESSES HOSTING THE MALWARE:

• 134.170.104.176 - xmeazw.dm2301.livefilestore.com
• 134.170.109.176 - xmeazw.dm2304.livefilestore.com

 

NOTES:

• Found 3 more today while I was searching for exploit kits...  Read: comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
• rubikon.bg --> site.lt --> xmeazw.dm2301.livefilestore.com
• webradio-powerplay.de --> www.emiliabayer.com --> xmeazw.dm2304.livefilestore.com
• www.mkon.de --> aviontechnology.it --> xmeazw.dm2301.livefilestore.com

 

TODAY'S EXAMPLES

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
rubikon.bg --> site.lt --> xmeazw.dm2301.livefilestore.com

• 01:15:32 UTC - 172.16.223.135:49921 - 87.120.40.168:80 - rubikon.bg - GET /
• 01:15:34 UTC - 172.16.223.135:49925 - 87.120.40.168:80 - rubikon.bg - GET /stmenu.js
• 01:15:34 UTC - 172.16.223.135:49923 - 87.120.40.168:80 - rubikon.bg - GET /jquery-1.5.1.min.js
• 01:15:34 UTC - 172.16.223.135:49924 - 87.120.40.168:80 - rubikon.bg - GET /jquery.backstretch.min.js
• 01:15:34 UTC - 172.16.223.135:49930 - 87.120.40.168:80 - rubikon.bg - GET /scroll.js
• 01:15:34 UTC - 172.16.223.135:49929 - 87.120.40.168:80 - rubikon.bg - GET /menu.js
• 01:15:37 UTC - 172.16.223.135:49934 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?id=11966723
• 01:15:38 UTC - 172.16.223.135:49934 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?id=11966724
• 01:15:40 UTC - 172.16.223.135:49935 - 87.120.40.168:80 - rubikon.bg - GET /stcode.js
• 01:15:41 UTC - 172.16.223.135:49936 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?id=11966727
• 01:15:42 UTC - 172.16.223.135:49936 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?id=11966731
• 01:15:43 UTC - 172.16.223.135:49936 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?id=11966726
• 01:15:59 UTC - 172.16.223.135:49948 - 79.98.26.193:80 - site.lt - GET /DmXRpr9F.php?html=27
• 01:16:01 UTC - 172.16.223.135:49948 - 79.98.26.193:80 - site.lt - GET /checker.php
• 01:16:09 UTC - 172.16.223.135:49949 - 134.170.104.176:443 - xmeazw.dm2301.livefilestore.com
• 01:16:09 UTC - 172.16.223.135:49950 - 134.170.104.176:443 - xmeazw.dm2301.livefilestore.com
• 01:16:16 UTC - 172.16.223.135:49952 - 79.98.26.193:80 - site.lt - GET /checker.php

HTTPS link from fake Flash updater notice:

• xmeazw.dm2301.livefilestore.com - GET /y2mSHM8N1E-7Gfshvhe-3l5_NCUYzZkHGEXj8qEH-GcjtG_g_V5w8CMY4LprNB-r4CnT2wwGiIr6QrS-QJWSB_UvS398df7NmzgpCQ
  A0XUdzx8/FlashUpdater.exe

 

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
webradio-powerplay.de --> www.emiliabayer.com --> xmeazw.dm2304.livefilestore.com

• 02:44:00 UTC - 172.16.223.132:49175 - 88.198.55.148:80 - webradio-powerplay.de - GET /
• 02:44:01 UTC - 172.16.223.132:49175 - 88.198.55.148:80 - webradio-powerplay.de - GET /news.php
• 02:44:01 UTC - 172.16.223.132:49183 - 88.198.55.148:80 - webradio-powerplay.de - GET /includes/jquery/jquery.js
• 02:44:02 UTC - 172.16.223.132:49175 - 88.198.55.148:80 - webradio-powerplay.de - GET /includes/jscript.js
• 02:44:03 UTC - 172.16.223.132:49182 - 88.198.55.148:80 - webradio-powerplay.de - GET /infusions/advanced_online_panel/includes/tooltip.js
• 02:44:05 UTC - 172.16.223.132:49192 - 181.224.139.87:80 - www.emiliabayer.com - GET /3wgvnxqn.php?id=111527479
• 02:44:07 UTC - 172.16.223.132:49192 - 181.224.139.87:80 - www.emiliabayer.com - GET /3wgvnxqn.php?html=27
• 02:44:08 UTC - 172.16.223.132:49192 - 181.224.139.87:80 - www.emiliabayer.com - GET /checker.php
• 02:44:23 UTC - 172.16.223.132:49210 - 181.224.139.87:80 - www.emiliabayer.com - GET /checker.php
• 02:44:38 UTC - 172.16.223.132:49212 - 134.170.109.176:443 - xmeazw.dm2304.livefilestore.com
• 02:44:38 UTC - 172.16.223.132:49213 - 181.224.139.87:80 - www.emiliabayer.com - GET /checker.php
• 02:44:53 UTC - 172.16.223.132:49215 - 181.224.139.87:80 - www.emiliabayer.com - GET /checker.php

HTTPS link from fake Flash updater notice:

• xmeazw.dm2304.livefilestore.com - GET /y2mBtol82kkE74DcxuB2b14AxNTn8d44cfUgbkqLLlE6PTN3PaU3iImsgoq_eIl_HFjGvRssHi_xLv84RztnAgw1PSqGObpJDR3npeD4n-
  BZEk/FlashUpdater.exe

 

comromised website --> fake Flash updater notice --> Microsoft OneDrive hosting the malware
www.mkon.de --> aviontechnology.it --> xmeazw.dm2301.livefilestore.com

• 02:48:31 UTC - 172.16.223.132:49292 - 109.237.132.30:80 - www.mkon.de - GET /
• 02:48:33 UTC - 172.16.223.132:49304 - 109.237.132.30:80 - www.mkon.de - GET /files/theme/js/jquery.selectnav.js
• 02:48:33 UTC - 172.16.223.132:49302 - 109.237.132.30:80 - www.mkon.de - GET /assets/js/f14e9a439d7d.js
• 02:48:33 UTC - 172.16.223.132:49305 - 109.237.132.30:80 - www.mkon.de - GET /files/theme/js/back-to-top.js
• 02:48:33 UTC - 172.16.223.132:49303 - 109.237.132.30:80 - www.mkon.de - GET /files/theme/js/doubletaptogo.js
• 02:48:34 UTC - 172.16.223.132:49307 - 109.237.132.30:80 - www.mkon.de - GET /assets/jquery/ui/1.10.3/jquery-ui.min.js
• 02:48:34 UTC - 172.16.223.132:49309 - 62.149.128.163:80 - aviontechnology.it - GET /Benvenuto_files/JY9W7Vrb.php?id=
• 02:48:34 UTC - 172.16.223.132:49306 - 109.237.132.30:80 - www.mkon.de - GET /assets/html5shiv/3.7.0/html5shiv.js
• 02:48:34 UTC - 172.16.223.132:49310 - 109.237.132.30:80 - www.mkon.de - GET /assets/swipe/2.0/js/swipe.min.js
• 02:48:34 UTC - 172.16.223.132:49308 - 109.237.132.30:80 - www.mkon.de - GET /assets/jquery/colorbox/1.4.31/js/colorbox.min.js
• 02:48:34 UTC - 172.16.223.132:49311 - 109.237.132.30:80 - www.mkon.de - GET /assets/jquery/tablesorter/2.0.5/js/tablesorter.js
• 02:48:34 UTC - 172.16.223.132:49313 - 109.237.132.30:80 - www.mkon.de - GET /files/theme/js/selectnav-custom.js
• 02:48:34 UTC - 172.16.223.132:49312 - 109.237.132.30:80 - www.mkon.de - GET /files/theme/js/doubletaptogo_custom.js
• 02:48:34 UTC - 172.16.223.132:49314 - 109.237.132.30:80 - www.mkon.de - GET /assets/jquery/mediaelement/2.13.1/js/mediaelement-and-player.min.js
• 02:48:34 UTC - 172.16.223.132:49315 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/JY9W7Vrb.php?id=
• 02:48:41 UTC - 172.16.223.132:49348 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/JY9W7Vrb.php?html=27
• 02:48:42 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:48:58 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:49:12 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:49:27 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:49:42 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:49:58 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:50:13 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:50:28 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:50:43 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:50:55 UTC - 172.16.223.132:49354 - 134.170.104.176:443 - xmeazw.dm2301.livefilestore.com
• 02:50:58 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php
• 02:51:13 UTC - 172.16.223.132:49351 - 62.149.131.238:80 - www.aviontechnology.it - GET /Benvenuto_files/checker.php

HTTPS link from fake Flash updater notice:

• xmeazw.dm2301.livefilestore.com - GET /y2mF4MC8q5OpMhkvfvn05KE9nxa08rpqNA5h_mMIYII8Y_LyPhEEw_GJpmDe3jKfrrQ_FVPdh0Fe5KmwSGHRMBgMhYdsioIDeZo
  q0nk-va2ehM/FlashUpdater.exe

 

PRELIMINARY MALWARE ANALYSIS

File name:  FlashUpdater.exe
File size:  159.0 KB ( 162816 bytes )
MD5 hash:  f7193a06030e19e0d0c66dfa013481a5
Detection ratio:  3 / 51
First submission:  2014-04-29 01:25:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/938700a3f84dd6ef0e414b83ad4ec132f0e94504f8ad9bbfa62eefded9ebd49b/analysis/

NOTE: This is the same file size and icon as yesterday, but a different MD5 hash.

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-29-fake-flash-updater-all-pcaps.zip
• ZIP file of the malware:  2014-04-29-fake-flash-updater-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.