2014-06-18 - FAKE FLASH INSTALLER HOSTED ON 191.238.33.50 - UPDATEPLUGIN.AZUREWEBSITES.NET

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-18-fake-Flash-installer-both-pcaps.zip
• ZIP of the malware:  2014-06-18-fake-Flash-installer-malware.zip

BLOG ENTRIES SINCE I STARTED KEEPING TRACK:

• 2014-04-24 - fake Flash update from 217.26.210.127 (www.wizardcomputers.rs) points to malware on Microsoft OneDrive IP
• 2014-04-28 - fake Flash updater hosted on Microsoft OneDrive IP addresses
• 2014-04-29 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-03 - Another fake Flash updater hosted on Microsoft OneDrive
• 2014-05-11 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-14 - Today's fake Flash updater hosted on Microsoft OneDrive
• 2014-05-17 - fake Flash updater hosted on 23.91.112.4 - preud-homme.be
• 2014-05-19 - fake Flash updater hosted on dl.dropboxusercontent.com
• 2014-06-13 - fake Flash updater hosted on Google Drive
• 2014-06-18 - fake Flash installer hosted on 191.238.33.50 - updateplugin.azurewebsites.net

 

TODAY'S TRAFFIC EXAMPLE

compromised website --> fake Flash updater notice --> site hosting the malware
lapelsa.com.ar --> bolsadelavivienda.com --> updateplugin.azurewebsites.net

• 16:06:57 UTC - 192.168.204.241:49221 - 198.57.157.212:80 - lapelsa.com.ar - GET /
• 16:06:58 UTC - 192.168.204.241:49227 - 217.76.130.172:80 - bolsadelavivienda.com - GET /cy4qzd2j.php?id=88831479
• 16:06:59 UTC - 192.168.204.241:49227 - 217.76.130.172:80 - bolsadelavivienda.com - GET /cy4qzd2j.php?69571ec4b9a5f1a701bb87f23580f164f
• 16:06:59 UTC - 192.168.204.241:49227 - 217.76.130.172:80 - bolsadelavivienda.com - GET /checker.php
• 16:07:03 UTC - 192.168.204.241:49231 - 191.238.33.50:80 - updateplugin.azurewebsites.net - GET /FlashInstaller.exe

 

TRAFFIC FROM SANDBOX ANALYSIS OF THE MALWARE

• 16:20:51 UTC - 192.168.56.101:1035 - 193.105.210.32:80 - domaintomakeit.com - POST /unecheitd/8732593/index.php
• 16:20:56 UTC - 192.168.56.101:1036 - 23.91.112.4:80 - preud-homme.be - GET /agivenlike.exe
• 16:21:00 UTC - 192.168.56.101:1037 - 23.91.112.4:80 - preud-homme.be - GET /yoshowstra.exe
• 16:21:14 UTC - 192.168.56.101:1040 - 23.91.112.4:80 - preud-homme.be - GET /griyeacomours.exe
• 16:21:20 UTC - 192.168.56.101:1044 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?cE555531=%96%97%[long string]
• 16:21:22 UTC - 192.168.56.101:1046 - 5.149.248.153:80 - report.e1793skuo17myws9e1.com - POST /
• 16:21:23 UTC - 192.168.56.101:1047 - 5.149.248.153:80 - update1.wxyc7rv.com - GET /?ry=kaejnZmllWNmqKuqmZvWqG[long string]
• 16:21:23 UTC - 192.168.56.101:1048 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?1oC3sK943=%96%97%[long string]
• 16:21:24 UTC - 192.168.56.101:1049 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?IQ7w20=%96%97%A3%[long string]
• 16:21:24 UTC - 192.168.56.101:1050 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?1a93e17=%96%97%A3%[long string]
• 16:21:24 UTC - 192.168.56.101:1051 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?17aA1k958=%96%97%[long string]
• 16:21:24 UTC - 192.168.56.101:1052 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?79a179s55=%96%97%[long string]
• 16:21:30 UTC - 192.168.56.101:1053 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?k9y1cE16=%96%97%[long string]
• 16:21:40 UTC - 192.168.56.101:1057 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?9e1a9k109=%96%97%[long string]
• 16:21:43 UTC - 192.168.56.101:1058 - 109.162.29.108:80 - carbon-flx.su - GET /b/shoe/54607
• 16:21:51 UTC - 192.168.56.101:1061 - 204.79.197.200:80 - www.bing.com - GET /chrome/report.html?W93y=%9B%EE%[long string]
• 16:21:52 UTC - 192.168.56.101:1062 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?oCEIQ325=%96%97%[long string]
• 16:21:52 UTC - 192.168.56.101:1063 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?AAA757=%96%97%[long string]
• 16:21:52 UTC - 192.168.56.101:1065 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?MY1c63=%96%97%[long string]
• 16:21:52 UTC - 192.168.56.101:1066 - 146.0.75.221:80 - report.e1793skuo17myws9e1.com - GET /?9o17mY118=%96%[long string]
• 16:22:01 UTC - 192.168.56.101:1070 - 109.162.29.108:80 - carbon-flx.su - GET /b/shoe/54607
• 16:22:05 UTC - 192.168.56.101:1071 - 213.159.245.122:80 - orion-baet.su - GET /pho-caguestbook-http49.74/jquery/
• 16:23:24 UTC - 192.168.56.101:1035 - 195.140.229.55:80 - orion-baet.su - GET /uni-terevolutionq-http91.74/soft32.dll
• 16:23:28 UTC - 192.168.56.101:1037 - 109.162.119.5:80 - vision-vaper.su - GET /b/eve/23fd50ad28cc0f585c12db83

 

PRELIMINARY MALWARE ANALYSIS

FAKE FLASH UPDATER:

File name:  FlashInstaller.exe
File size:  179.3 KB ( 183632 bytes )
MD5 hash:  ae9769ed150f23d1ad1089ce8d4a7a30
Detection ratio:  21 / 54
First submission:  2014-06-17 13:24:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8e3be02eadc2cbe899bef97f83218212ed428454efb63f21e9b7f5bd07996654/analysis/
Malwr link:  https://malwr.com/analysis/NGM1MzA2NjY4OTExNDRjOTkwMDdlNGMyOTNlOWExNWU/

 

FOLLOW-UP MALWARE FROM MALWR.COM ANALYSIS PCAP:

• agivenlike.exe   -   MD5: 69e97e6a262d2870d507107ba7340e76   -   Virus Total link   -   Malwr link
• griyeacomours.exe   -   MD5: a602104d4d4e335b59ba54c657f9d410   -   Virus Total link   -   Malwr link
• yoshowstra.exe   -   MD5: 45b96b1cf36a6e506219325c780188f2   -   Virus Total link   -   Malwr link
• exe.exe   -   MD5: ef09928b472aea044a3404edf75418db   -   Virus Total link   -   Malwr link

 

SNORT EVENTS

SNORT EVENTS FOR THE INITIAL TRAFFIC (from Sguil on Security Onion):

• 192.168.204.241:49221 - 198.57.157.212:80 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)

 

FROM TCPREPLAY ON PCAP FROM MALWR.COM:

• 192.168.56.101:1035 - 193.105.210.32:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 192.168.56.101:1035 - 193.105.210.32:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website (lapelsa.com.ar):

 

First HTTP GET request to the fake Flash notification domain (bolsadelavivienda.com):

 

Second HTTP GET request to the fake Flash notification domain that contains link to the malware:

 

HTTP GET request to retrieve the fake Flash installer:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-18-fake-Flash-installer-both-pcaps.zip
• ZIP of the malware:  2014-06-18-fake-Flash-installer-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.