2014-04-30 - FAKE FLASH PLAYER FROM 87.98.146.123 - ACTIVEX.ADOBE.FLASH.PLAYER.TRANSDISCIPLINAR.INFO

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-30-fake-flash-player-pcaps.zip
• ZIP file of the malware:  2014-04-30-fake-flash-player-malware.zip

NOTES:

• Here's another one I've found lately...
• I haven't found any traffic analysis yet on this particular malware campaign, so I'm documenting this.

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT:

• 21:23:37 UTC - 200.72.129.195 - www.ofbconsulting.cl - GET /
• 21:23:41 UTC - 216.205.98.41 - pagerank.net.au - GET /img/popup.html
• 21:23:42 UTC - 216.205.98.41 - pagerank.net.au - GET /favicon.ico

FAKE FLASH PLAYER PAGE:

• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/index.css
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/flash_windows.gif
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/160x41_get_flashplayer.gif
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/undefined
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/logo.png
• 21:23:42 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /update/flash/20140427232734/background.png
• 21:23:42 UTC - 87.98.146.123 - transdisciplinar.info - GET /wp-signup.php?new=activex.adobe.flash.player
• 21:23:43 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /favicon.ico
• 21:25:16 UTC - 87.98.146.123 - activex.adobe.flash.player.transdisciplinar.info - GET /adobe_flash_player.exe

POST-INFECTION CALLBACK FROM SANDBOX ANALYSIS:

• 37.187.131.39 - nonicnic.net - POST /0x0x/image.php
• 198.187.31.22 - mobypapp.com - GET /updater/11.exe
• 198.187.31.22 - mobypapp.com - GET /updater/11.exe
• 198.187.31.22 - mobypapp.com - GET /updater/11.exe
• 37.187.131.39 - nonicnic.net - POST /0x0x/image.php   [repeats several times]

 

PRELIMINARY MALWARE ANALYSIS

File name:  adobe_flash_player.exe
File size:  13.5 KB ( 13824 bytes )
MD5 hash:  f5f998a2425a559be2d6413d16ad091d
SHA256 hash:  2417424e64f2f1499b3d9dc2c8b5ebde92ffa6aa43984564478000a9775747b3
Detection ratio:  46 / 52
First submission:  2014-04-28 09:47:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2417424e64f2f1499b3d9dc2c8b5ebde92ffa6aa43984564478000a9775747b3/analysis/
Malwr link:  https://malwr.com/analysis/ZTM0ZDEwMTg5NzRjNGM4ZTg5YjAyZTFmMjBjOTc4NTc/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-30 21:23:38 UTC - 200.72.129.195:80 - 172.16.223.134:50219 - ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
• 2014-04-30 21:23:38 UTC - 200.72.129.195:80 - 172.16.223.134:50219 - ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
• 2014-04-30 21:23:38 UTC - 200.72.129.195:80 - 172.16.223.134:50219 - ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
• 2014-04-30 21:23:38 UTC - 200.72.129.195:80 - 172.16.223.134:50219 - ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding
• 2014-04-30 21:23:38 UTC - 200.72.129.195:80 - 172.16.223.134:50219 - ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
• 2014-04-30 21:23:39 UTC - 172.16.223.134:50227 - 200.72.129.195:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-04-30 21:25:16 UTC - 87.98.146.123:80 - 172.16.223.134:50242 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-30 21:25:16 UTC - 87.98.146.123:80 - 172.16.223.134:50242 - ET SHELLCODE Possible Call with No Offset TCP Shellcode

 

NOTE:  Using Security Onion I did tcpreplay on a sandbox analysis PCAP of the malware.  The PCAP generated two different post-infection alerts.

• 172.16.233.15:1031 - 37.187.131.39:80 - ET TROJAN Andromeda Checkin
• 37.187.131.39:80 - 172.16.233.15:1041 - ET TROJAN Andromeda Check-in Response

 

SCREENSHOTS FROM THE TRAFFIC

Here's the javascript I've seen from the compromised web sites.  Note the <HTML> and </HTML> tags...  It looks like a separate HTML page before the start of the actual HTML page from the site.

 

That javascript shown above generated the HTTP GET request seen below to pagerank.net.au, which generates traffic to the fake Flash player page on transdisciplinar.info.

 

Here's the GET request for the fake Flash player from activex.adobe.flash.player.transdisciplinar.info

 

Post-infection callback to nonicnic.net

 

Post-infection callback to mobypapp.com mobypapp.com

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-30-fake-flash-player-pcaps.zip
• ZIP file of the malware:  2014-04-30-fake-flash-player-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.