2014-05-24 - FLASHPACK EK FROM 62.212.128.199 - G07A1KXCNP83X1Z21FJVQTW.PARFUMLERI.ORG

PCAP AND MALWARE:

• ZIP of the PCAPs:  2014-05-24-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-24-FlashPack-EK-malware.zip

NOTES:

• More Operation Windigo with Cdorked/Onimiki redirection to FlashPack EK and Glupteba payload.
• Today's Java and Silverlight exploits are the same as last time.

PREVIOUS FLASHPACK EK TRAFFIC ON THIS BLOG:

• 2014-03-29 - FlashPack EK from 31.31.196.12 - bkapaep35cp5h47qef1lpgl.fm.gen.tr
• 2014-04-03 - FlashPack EK from 78.157.209.194 - dqpo63edlc6eurmpd42wbl9.forexforum.gen.tr
• 2014-04-12 - FlashPack EK from 176.102.37.55 - kliftpres.com
• 2014-04-13 - FlashPack EK from 176.102.37.55 - weoikcus.org
• 2014-04-17 - FlashPack EK from 178.33.85.108 - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri.gen.tr
• 2014-05-06 - FlashPack EK from 89.121.252.70 - 5tcq1yyzey8kafdq1nmvqtw.lchhmba.com
• 2014-05-11 - FlashPack EK from 82.146.41.116 - dg9sdgykl.trade-e.com
• 2014-05-19 - FlashPack EK from 95.154.246.90 - ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci.com
• 2014-05-24 - FlashPack EK from 62.212.128.199 - g07a1kxcnp83x1z21fjvqtw.parfumleri.org

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 63.247.137.220 - www.siragon.com - Compromised website
• 62.212.128.199 - g07a1kxcnp83x1z21fjvqtw.parfumleri.org and g07a1kxcnp83x1z21fjvqtw514453c24ac08a0a332387057f2f90f0b.parfumleri.org - Flashpack EK
• 188.165.222.149 - no domain name - Post-infection callback traffic on TCP ports 51633 and 17326

TRAFFIC NOTED:

• 20:48:55 UTC- www.siragon.com - GET /
• 20:48:56 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /index.php?a=aWt5cmphYj1sYyZ0aW1lPTE0MDUyNDIwNDY1NzMzMjQ2ODEmc3JjPTE0NCZzdXJsPXd3dy5
  zaXJhZ29uLmNvbSZzcG9ydD04MCZrZXk9ODQzMURBRUEmc3VyaT0v
• 20:48:56 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /favicon.ico
• 20:48:57 UTC - g07a1kxcnp83x1z21fjvqtw514453c24ac08a0a332387057f2f90f0b.parfumleri.org - GET /index2.php
• 20:48:57 UTC - g07a1kxcnp83x1z21fjvqtw514453c24ac08a0a332387057f2f90f0b.parfumleri.org - GET /favicon.ico
• 20:48:58 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/allow.php
• 20:48:59 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/js/pd.php?id=67303761316b78636e70383378317a3231666a767174773531343435336
  332346163303861306133333233383730353766326639306630622e70617266756d6c6572692e6f7267
• 20:49:03 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - POST /tresting/avalonr/json.php
• 20:49:04 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/msie.php
• 20:49:04 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/silver.php
• 20:49:04 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/javadb.php
• 20:49:04 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/flash2014.php
• 20:49:04 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/include/e30fb108517a9a177b8b213e16ebd5dc.eot
• 20:49:11 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/include/43519600de860a49e6a0edfd9381a06c.eot
• 20:49:12 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/loadsilver.php
• 20:49:27 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/include/80b0549f943d2738d375c9abf115882c.jar
• 20:49:27 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/include/80b0549f943d2738d375c9abf115882c.jar
• 20:49:28 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /tresting/avalonr/loaddb.php
• 20:49:32 UTC - 188.165.222.149:51633 - GET /stat?uid=100&downlink=1111&uplink=1111&id=007C5FCD&statpass=bpass&version=20140524&features=30&guid=799
  ede46-787e-4313-b27d-440fb347435c&comment=20140524&p=0&s=
• 20:49:32 UTC - 188.165.222.149:17326 - [post-infection callback traffic starts here and continues]
• 20:49:40 UTC - i5ntv90tcina5rkmtwbcqim.adultseohosting.com - GET /adsort.php?yy=1&aid=2&atr=exts&src=144
• 20:49:40 UTC - i5ntv90tcina5rkmtwbcqim.adultseohosting.com - GET /favicon.ico
• 20:49:40 UTC - i5ntv90tcina5rkmtwbcqim.adultseohosting.com - GET /adsort.php?zz=1&aid=2&atr=exts&src=144
• 20:49:40 UTC - i5ntv90tcina5rkmtwbcqim.adultseohosting.com - GET /4/
• 20:49:41 UTC - adultfriendfinder.com - GET /go/p1011105.subdirs
• 20:49:41 UTC - adultfriendfinder.com - GET /go/page/landing_page_68?nid=18&layout=qna&pid=p1011105.subdirs&ip=auto&no_click=1&alpo_redirect=1
• 20:50:17 UTC - g07a1kxcnp83x1z21fjvqtw.parfumleri.org - GET /software.php?05242050264107146

 

PRELIMINARY MALWARE ANALYSIS

• 2014-05-24-FlashPack-EK-java-exploit.jar - 10.2 KB ( 10408 bytes ) - MD5: ad97fb241a7f8ec33d36a7735e5693d7 - Virus Total link
• 2014-05-24-FlashPack-EK-silverlight-exploit.xap - 21.8 KB ( 22319 bytes ) - MD5: 0fdf64c3cdd5d592fdb357fbba5efeec - Virus Total link
• 2014-05-24-FlashPack-EK-malware-01.dll - 13.0 KB ( 13312 bytes ) - MD5: e228b3f343d76393e504600cf3c295be - Virus Total link / Malwr link
• 2014-05-24-FlashPack-EK-malware-02.exe - 84.1 KB ( 86149 bytes ) - MD5: 0950dc10024e19d20dc418338dff84f0 - Virus Total link / Malwr link
• 2014-05-24-FlashPack-EK-malware-03.exe - 155.7 KB ( 159479 bytes ) - MD5: 29c5bd6f89b2b84aa36112009d7d690c - Virus Total link / Malwr link

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion):

Emerging Threats ruleset

• 2014-05-24 20:48:56 UTC - 192.168.204.215:50690 - 62.212.128.199:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
• 2014-05-24 20:48:57 UTC - 192.168.204.215:54049 - 192.168.204.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (sid:2018276)
• 2014-05-24 20:48:57 UTC - 192.168.204.215:54049 - 192.168.204.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (sid:2018275)
• 2014-05-24 20:48:59 UTC - 192.168.204.215:50690 - 62.212.128.199:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows Plugin-Detect Data (sid:2017812)
• 2014-05-24 20:49:00 UTC - 62.212.128.199:80 - 192.168.204.215:50690 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014 (sid:2018171)
• 2014-05-24 20:49:04 UTC - 62.212.128.199:80 - 192.168.204.215:50690 - ET CURRENT_EVENTS DRIVEBY FlashPack 2013-2551 May 13 2014 (sid:2018469)
• 2014-05-24 20:49:04 UTC - 192.168.204.215:50694 - 62.212.128.199:80 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php (sid:2018238)
• 2014-05-24 20:49:04 UTC - 192.168.204.215:50695 - 62.212.128.199:80 - ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2014.php (sid:2018471)
• 2014-05-24 20:49:04 UTC - 62.212.128.199:80 - 192.168.204.215:50693 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing (sid:2018236)
• 2014-05-24 20:49:04 UTC - 192.168.204.215:50693 - 62.212.128.199:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot (sid:2016155)
• 2014-05-24 20:49:12 UTC - 192.168.204.215:50696 - 62.212.128.199:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (sid:2017813)
• 2014-05-24 20:49:13 UTC - 62.212.128.199:80 - 192.168.204.215:50696 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 2014-05-24 20:49:27 UTC - 192.168.204.215:50698 - 62.212.128.199:80 - ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii (sid:2014751)
• 2014-05-24 20:49:32 UTC - 192.168.204.215:50699 - 188.165.222.149:51633 - ET TROJAN Win32/Glupteba CnC Checkin (sid:2013293)

Sourcefire VRT ruleset

• 2014-05-24 20:48:57 UTC - 192.168.204.215:54049 - 192.168.204.2:53 - BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (sid:30881)
• 2014-05-24 20:49:04 UTC - 62.212.128.199:80 - 192.168.204.215:50690 - EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit (sid:30966)
• 2014-05-24 20:49:04 UTC - 192.168.204.215:50694 - 62.212.128.199:80 - EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page (sid:30971)
• 2014-05-24 20:49:04 UTC - 192.168.204.215:50695 - 62.212.128.199:80 - EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page (sid:30970)
• 2014-05-24 20:49:04 UTC - 62.212.128.199:80 - 192.168.204.215:50693 - EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit (sid:30968)
• 2014-05-24 20:49:04 UTC - 62.212.128.199:80 - 192.168.204.215:50695 - EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit (sid:30967)
• 2014-05-24 20:49:12 UTC - 192.168.204.215:50696 - 62.212.128.199:80 - EXPLOIT-KIT CritX exploit kit payload request (sid:30973)
• 2014-05-24 20:49:13 UTC - 62.212.128.199:80 - 192.168.204.215:50696 - EXPLOIT-KIT CritX exploit kit payload download attempt (sid:29167)
• 2014-05-24 20:49:13 UTC - 62.212.128.199:80 - 192.168.204.215:50696 - EXPLOIT-KIT CritX exploit kit Portable Executable download (sid:24791)
• 2014-05-24 20:49:13 UTC - 62.212.128.199:80 - 192.168.204.215:50696 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 2014-05-24 20:49:27 UTC - 62.212.128.199:80 - 192.168.204.215:50698 - EXPLOIT-KIT Multiple exploit kit jar file download attempt (sid:27816)
• 2014-05-24 20:49:27 UTC - 192.168.204.215:50698 - 62.212.128.199:80 - EXPLOIT-KIT CritX exploit kit outbound jar request (sid:29165)
• 2014-05-24 20:49:28 UTC - 62.212.128.199:80 - 192.168.204.215:50697 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)
• 2014-05-24 20:49:32 UTC - 192.168.204.215:50699 - 188.165.222.149:51633 - MALWARE-CNC Win.Trojan.Jaik variant outbound connection (sid:30977)

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAPs:  2014-05-24-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-24-FlashPack-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.