2014-05-19 - FLASHPACK EK FROM 95.154.246.90 - LEY9NBU9C4C5R3OIE3819IT.NS1.BAYANDOVMECI.COM

ASSOCIATED FILES:

• ZIP of the PCAPs:  2014-05-19-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-19-FlashPack-EK-malware.zip

NOTES:

• More Operation Windigo with Cdorked/Onimiki redirection landing to Glupteba.
• The Java exploit is at least 2 weeks old, and the Silverlight exploit hasn't been modified since December 2013.
• For some reason, there's no CVE-2014-0322 traffic like we've seen from FlashPack EK previously on 2014-03-29 and 2014-04-03.
• I'm using the same VM configuration (IE 10, Flash 12.0.0.43, Java 7 update 13, Silverlight 5.1.10411), so I'm not sure why the traffic has changed.

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

• 2014-03-29 FlashPack EK from 31.31.196.12 - bkapaep35cp5h47qef1lpgl.fm.gen.tr
• 2014-04-03 FlashPack EK from 78.157.209.194 - dqpo63edlc6eurmpd42wbl9.forexforum.gen.tr
• 2014-04-12 FlashPack EK from 176.102.37.55 - kliftpres.com
• 2014-04-13 FlashPack EK from 176.102.37.55 - weoikcus.org
• 2014-04-17 FlashPack EK from 178.33.85.108 - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri.gen.tr
• 2014-05-06 FlashPack EK from 89.121.252.70 - 5tcq1yyzey8kafdq1nmvqtw.lchhmba.com
• 2014-05-11 FlashPack EK from 82.146.41.116 - dg9sdgykl.trade-e.com
• 2014-05-19 FlashPack EK from 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com

 

CHAIN OF EVENTS

COMPROMISED WEBSITE:

• 02:27:26 UTC - 89.46.102.34 - hitcric.info - GET /

FLASHPACK EK:

• 02:27:28 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /index.php?s=dmpuc[long string of characters]
• 02:27:28 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /favicon.ico
• 02:27:29 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it529953c1805362f91a2d16b6d071fd5b0.ns1.bayandovmeci.com - GET /index2.php
• 02:27:29 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it529953c1805362f91a2d16b6d071fd5b0.ns1.bayandovmeci.com - GET /favicon.ico
• 02:27:30 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/allow.php
• 02:27:30 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/js/pd.php?id=6c6579[long string of characters]
• 02:27:46 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - POST /tresting/avalonr/json.php
• 02:27:47 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/msie.php
• 02:27:47 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/silver.php
• 02:27:47 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/flash2014.php
• 02:27:47 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/javadb.php
• 02:27:48 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot
• 02:27:52 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot
• 02:27:53 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/loadsilver.php
• 02:28:07 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/include/15c0b903a3d1f695e139a4ef3e8b3a1b.jar
• 02:28:07 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /tresting/avalonr/include/15c0b903a3d1f695e139a4ef3e8b3a1b.jar
• 02:30:17 UTC - 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com - GET /software.php?05190230760256453

POST-INFECTION TRAFFIC:

• 02:28:05 UTC - 91.121.84.116:49105 - GET /stat?uid=100&downlink=1111&uplink=1111&id=00CC7ADD&statpass=bpass&version=20140515&features=30
  &guid=fc5fe618-b57d-4366-a8b4-58a66ccab09c&comment=20140515&p=0&s=
• 02:28:05 UTC - 91.121.84.116:21967 - Glupteba-style callback traffic throughout rest of the PCAP file
• 02:29:03 UTC - 173.194.116.114 - www.google.com - GET /robots.txt
• 02:29:03 UTC - 174.143.144.69:25 - GET /
• 02:30:24 UTC - 195.2.253.38 - 195.2.253.38 - POST /
• 02:33:03 UTC - 173.194.64.27:25 - GET /

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-05-19-FlashPack-EK-java-exploit.jar
File size:  10.2 KB ( 10408 bytes )
MD5 hash:  ad97fb241a7f8ec33d36a7735e5693d7
Detection ratio:  14 /53
First submission:  2014-05-06 05:54:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35e59f62804e8fe688c6536ce0007f7cf8b65dc7924fc6531b6b5d87603664f1/analysis/

 

SILVERLIGHT EXPLOIT (SENT AS FIRST .EOT FILE)

File name:  2014-05-19-FlashPack-EK-silverlight-exploit.xap
File size:  21.8 KB ( 22319 bytes )
MD5 hash:  0fdf64c3cdd5d592fdb357fbba5efeec
Detection ratio:  32 / 52
First submission:  2014-03-13 18:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/119fdd3aa3154ce53e8df0dcebfb9469fced6c76c1668cb0d8a1f98106a5ea98/analysis/

 

FIRST MALWARE FILE NOTED (SENT AS SECOND .EOT FILE)

File name:  2014-05-19-FlashPack-EK-additional-malware.dll
File size:  13.0 KB ( 13312 bytes )
MD5 hash:  cf2fa8cc3c623bb73f0c0b5e900caf1b
Detection ratio:  4 / 53
First submission:  2014-05-19 03:28:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/022e6fafdd99615167b44de20a70b21751748f27c4b50e9bc8425dc583f9b5b5/analysis/
Malwr link:  https://malwr.com/analysis/NjBlNDQ0MTBjMmMyNGVkYmJmNmQ2YjNlYzkxMDIwMDg/

 

MALWARE PAYLOAD

File name:  2014-05-19-FlashPack-EK-malware-payload.exe
File size:  92.3 KB ( 94514 bytes )
MD5 hash:  2c334e13dc255e9681fe6da907b94706
Detection ratio:  6 / 52
First submission:  2014-05-19 03:28:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6bd17b0439ff1605b420a866d155849d9fb140fe13ce5af9987db146e1518c95/analysis/
Malwr link:  https://malwr.com/analysis/YmE5NzYyZDA2NmVlNDhiOWE4OWNlNDQzNGZiYTgxZGM/

 

POST-INFECTION MALWARE DOWNLOADED

File name:  2014-05-19-FlashPack-EK-post-infection-malware.exe
File size:  133.3 KB ( 136536 bytes )
MD5 hash:  f5df5011d612471365edbd104862af6f
Detection ratio:  5 / 53
First submission:  2014-05-19 04:11:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d9d1f64b013750aebd7d9395143baaa662dde16c1fde656e8cba8a61ba75307/analysis/
Malwr link:  https://malwr.com/analysis/NjJlODRlMTVhOTQ5NDYxNWE2OGYyZDQ1YWI3NTkyMDI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats events:

• ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
• ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows Plugin-Detect Data (sid:2017812)
• ET CURRENT_EVENTS Angler Landing Page Feb 24 2014 (sid:2018171)
• ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php (sid:2018238)
• ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2014.php (sid:201847)
• ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing (sid:2018236)
• ET CURRENT_EVENTS DRIVEBY FlashPack 2013-2551 May 13 2014 (sid:2018469)
• ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot (sid:2016155)
• ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (sid:2017813)
• ET TROJAN Win32/Glupteba CnC Checkin (sid:2013293)
• ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii (sid:2014751)

Sourcefire VRT events:

• BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (sid:30881)
• EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page (sid:30970)
• EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page (sid:30971)
• EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit (sid:30966)
• EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit (sid:30967)
• EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit (sid:30968)
• EXPLOIT-KIT Multiple exploit kit outbound font request (sid:30974)
• EXPLOIT-KIT CritX exploit kit Portable Executable download (sid:24791)
• EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• EXPLOIT-KIT CritX exploit kit payload download attempt (sid:29167)
• EXPLOIT-KIT CritX exploit kit payload request (sid:30973)
• MALWARE-CNC Win.Trojan.Jaik variant outbound connection (sid:30977)
• EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• EXPLOIT-KIT CritX exploit kit outbound jar request (sid:29165)

 

HIGHLIGHTS FROM THE TRAFFIC

Redirect from compromised web server:

 

The rest of the traffic is similar to my previous blog post on FlashPack EK dated 2014-05-11 (link).

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPs:  2014-05-19-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-19-FlashPack-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.