Malware-Traffic-Analysis.net

2014-05-03 - ANOTHER FAKE FLASH UPDATER HOSTED ON MICRSOFT ONEDRIVE

PCAP AND MALWARE:

MY PREVIOUS BLOG ENTRIES ON THIS CAMPAIGN:

NOTES:

This is an on-going campaign, yet I can't find anything published about it in recent weeks.
An infection requires the user to click on a link, download the file, and execute it on their computer--no actual exploit or CVE is involved.
The fake Flash player is altered every 24 hours (or more frequently) to avoid detection by anti-virus.
Post-infection traffic reminds me of Asprox botnet malspam, with signature hits on Fareit/Pony and Simda.C.

ASSOCIATED DOMAINS

94.73.145.240 - renet.com.tr - Compromised website
200.58.122.30 - retenestenup.com.ar - Fake flash update notication
134.170.104.112 - xmmguq.bn1302.livefilestore.com - Microsoft OneDrive hosting the malware
46.244.10.229 - domainforluck.com - Post-infection callback
216.151.164.53 - arkinsoftware.in - Post-infection callback (gets more malware)
59.224.244.225 - dialog-pow.com - Post-infection callback (like I've seen with Asprox)
188.16.238.1 - ps4-garry.com - Post-infection callback (like I've seen with Asprox)
112.184.251.77 - ps4-garry.com - Post-infection callback (like I've seen with Asprox)

INFECTION CHAIN OF EVENTS

05:13:01 UTC - 94.73.145.240 - renet.com.tr - GET /
05:13:03 UTC - 200.58.122.30 - retenestenup.com.ar - GET /misc/bxqm87hb.php?id=54918912
05:13:05 UTC - 200.58.122.30 - retenestenup.com.ar - GET /misc/bxqm87hb.php?html=27
05:13:07 UTC - 200.58.122.30 - retenestenup.com.ar - GET /misc/checker.php
05:13:11 UTC - 134.170.104.112 port 443 - xmmguq.bn1302.livefilestore.com
05:13:22 UTC - 200.58.122.30 - retenestenup.com.ar - GET /misc/checker.php [repeats several times]

SANDBOX ANALYSIS TRAFFIC

46.244.10.229 - domainforluck.com - POST /oopahdei/456547/index.php
216.151.164.53 - arkinsoftware.in - GET /images/inexsabit.exe
216.151.164.53 - arkinsoftware.in - GET /images/aveksynkens.exe
216.151.164.53 - arkinsoftware.in - GET /images/tobnenuko.exe
216.151.164.53 - arkinsoftware.in - GET /images/nukotobne.exe
159.224.244.225 - dialog-pow.com - GET /b/shoe/54607
79.142.66.240 - report.k7y3c7s3e7a317sk.com - GET /?E7a331=%96%95%D6%A6%D4%A4[long string of characters]
5.149.248.153 - report.k7y3c7s3e7a317sk.com - POST /
5.149.248.153 - update.xn1bipg.com - GET /gn=kaXWm8Okymaxo5aVoKCfk8Wnz62mx5an[long string of characters]
188.16.238.1 - ps4-garry.com - GET /components-jumla/jquery/
112.184.251.77 - ps4-garry.com - GET /components-jumla/ajax/

FAKE FLASH UPDATER

File name: FlashUpdater94309.exe
File size: 234.0 KB ( 239616 bytes )
MD5 hash: 6e477bca2eca90f8a84c35a679967562
Detection ratio: 5 / 52
First submission: 2014-05-02 22:34:20 UTC
VirusTotal link: https://www.virustotal.com/en/file/58d6e6a26a39bb48e673993fa50dcab6c8c7bd011fa8ee5675137b0363ef82b3/analysis/

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (1 OF 3)

File name: aveksynkens.exe
File size: 746.0 KB ( 763904 bytes )
MD5 hash: 86220875882e3c69629e3deb0af0dce7
Detection ratio: 2 / 52
First submission: 2014-05-03 06:42:39 UTC
VirusTotal link: https://www.virustotal.com/en/file/b930491c9dcdc82b027a0f86df7520e3fc3330a5687d3068b093df2acdfd0c79/analysis/

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (2 OF 3)

File name: inexsabit.exe
File size: 92.9 KB ( 95084 bytes )
MD5 hash: 5475b6a26b191a7e897bc3ab281ee7fe
Detection ratio: 3 / 52
First submission: 2014-05-02 23:46:21 UTC
VirusTotal link: https://www.virustotal.com/en/file/8005acade3f75f8c77b71a2346902cc30eef1018016e497db07cc2281de3380d/analysis/

MALWARE DOWNLOADED IN SANDBOX ANALYSIS (3 OF 3)

File name: nukotobne.exe
File size: 87.9 KB ( 89960 bytes )
MD5 hash: 4a1d57ca7daddd5e8c20d68f65324864
Detection ratio: 8 / 52
First submission: 2014-05-03 00:39:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/1026dd3dc882fc191ca291ddc5ce83f40584f633552c01b8eab0b77d2ce278b6/analysis/

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

2014-05-03 05:13:02 UTC - 94.73.145.240:80 - 192.168.204.223:49508 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag
2014-05-03 05:13:11 UTC - 134.170.104.112:443 - 192.168.204.223:49525 - ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2014-05-03 05:13:11 UTC - 134.170.104.112:443 - 192.168.204.223:49525 - ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)

SNORT EVENTS FOR THE SANDBOX ANALYSIS PCAP (using tcpreplay on Security Onion)

192.168.204.223:1029 - 46.244.10.229:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
192.168.204.223:1030 - 216.151.164.53:80 - ET TROJAN Possible Graftor EXE Download Common Header Order
216.151.164.53:80 - 192.168.204.223:1030 - ET POLICY PE EXE or DLL Windows file download
216.151.164.53:80 - 192.168.204.223:1030 - GPL SHELLCODE x86 NOOP
216.151.164.5:803 - 192.168.204.223:1030 - GPL SHELLCODE x86 0x90 unicode NOOP
216.151.164.53:80 - 192.168.204.223:1035 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag
192.168.204.223:1043 - 79.142.66.240:80 - ET TROJAN Simda.C Checkin