2014-06-16 - FLASHPACK EK FROM - 46.21.159.160 - CHANGE IN URL PATTERNS

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-16-FlashPack-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-16-FlashPack-EK-malware.zip

NOTES:

• This week marks a change in URL patterns used by FlashPack EK (CritX EK).
• The first run used a VM with Windows 7, IE 8, Java 6 update 25, and Flash 11.8.800.94.
• The second run used a VM with Windows 7, IE 11, Java 7 update 51, and Flash 13.0.0.182.
• The same CVE-2014-0515 exploit was sent both times, and the first run had an additional Flash exploit.

CHAIN OF EVENTS

FIRST RUN (TWO DIFFERENT FLASH EXPLOITS):

• 15:10:32 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/epressurel.php
• 15:10:32 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/imanso.js
• 15:10:33 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/qbuildz.php
• 15:10:34 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/ureceptionb.php
• 15:10:34 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/zbreaths.php
• 15:10:34 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/ysuni.php
• 15:10:35 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/mmentionk/ccdedf.swf
• 15:10:35 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/mmentionk/392c2e.js
• 15:10:36 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/mmentionk/def42.swf
• 15:10:47 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/oplateg.php?id=4   [malware payload]
• 15:10:51 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/nideax.php   [malware payload]
• 15:10:55 UTC - 46.21.159.160 - vuileto.heribertomartinez.com - GET /appentest/oconditionsg/sscreamedz.php

SECOND RUN (CVE-2014-0515 FLASH EXPLOIT ONLY):

• 20:41:29 UTC - 46.21.159.160 - vuileto.dugera.com - GET /appentest/oconditionsg/epressurel.php
• 20:41:29 UTC - 46.21.159.160 - vuileto.dugera.com - GET /appentest/oconditionsg/imanso.js
• 20:41:31 UTC - 46.21.159.160 - vuileto.dugera.com - GET /appentest/oconditionsg/ysuni.php
• 20:41:33 UTC - 46.21.159.160 - vuileto.dugera.com - GET /appentest/oconditionsg/mmentionk/203820.swf
• 20:41:35 UTC - 46.21.159.160 - vuileto.dugera.com - GET /appentest/oconditionsg/oplateg.php?id=4   [malware payload]

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-06-16-FlashPack-EK-CVE-2014-0515-exploit.swf
File size:  9.9 KB ( 10178 bytes )
MD5 hash:  7f8e224bae0ea77e31a5416c334db1c3
Detection ratio:  0 / 54
First submission:  2014-06-16 17:56:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/aac79703c11fb1102567192a42c074ccc374444460800adcd0bb32a10cb2f888/analysis/

File name:  2014-06-16-FlashPack-EK-other-flash-exploit.swf
File size:  37.0 KB ( 37896 bytes )
MD5 hash:  3aa1810f0cf2a3de235ab68767109646
Detection ratio:  0 / 53
First submission:  2014-06-10 13:47:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f32609d680b7215e92ae9b3f27338dc0e9125232e798fcabdd634265cebd1c6d/analysis/

 

MALWARE PAYLOADS

File name:  2014-06-16-FlashPack-EK-malware-payload-first-run.exe
File size:  94.0 KB ( 96256 bytes )
MD5 hash:  0b486b4be80a643f54740d5d9d520202
Detection ratio:  20 / 54
First submission:  2014-06-16 06:44:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9b56c2c6562a03f50546d2ab718b3b67a9df0deecf102d5b9ca0822ea729fbd5/analysis/

File name:  2014-06-16-FlashPack-EK-malware-payload-second-run.exe
File size:  94.5 KB ( 96768 bytes )
MD5 hash:  ecf006f89024fefd237a3da4a93c7107
Detection ratio:  7 / 54
First submission:  2014-06-16 21:09:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/190c80a5b3d115b5e38aa7161765030ee67fd18e51fb53ae57360c41ce62fa78/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets:

• 2014-06-16 20:41:37 UTC - 46.21.159.160:80 - 172.16.253.136:49401 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)

Sourcefire VRT ruleset:

• 2014-06-16 20:41:37 UTC - 46.21.159.160:80 - 172.16.253.136:49401 - EXPLOIT-KIT CritX exploit kit Portable Executable download (sid:24791)
• 2014-06-16 20:41:37 UTC - 46.21.159.160:80 - 172.16.253.136:49401 - EXPLOIT-KIT CritX exploit kit payload download attempt (sid:28593)
• 2014-06-16 20:41:37 UTC - 46.21.159.160:80 - 172.16.253.136:49401 - EXPLOIT-KIT Multiple exploit kit payload download (sid:29167)

NOTE: These Snort events were taken from Sguil on Security Onion

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-16-FlashPack-EK-both-pcaps.zip
• ZIP of the malware:  2014-06-16-FlashPack-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.