2014-07-30 - FLASHPACK EK FROM 85.159.214.181
ASSOCIATED FILES:
- ZIP of PCAP(s): 2014-07-30-FlashPack-EK-traffic.pcap.zip
- ZIP of the malware: 2014-07-30-FlashPack-EK-malware.zip
NOTES:
- This is similar to traffic noted last week on 2014-07-23, with another appearance by apps.emol.com leading to FlashPack EK.
- This FlashPack EK traffic appears to be part of of Operation Windigo delivering a Glupteba payload.
- For more information about Operation Windigo, ESET published a report avaialable here.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 50.57.89.29 - www.vivedescuentos.com - Web page with javascript pointing to apps.emol.com
- 184.154.117.170 - apps.emol.com - Has javascript that points to Cushion redirect
- 77.78.104.154 - zed59sfa61v1v3es42ysn7p.akillicihaz.com - Cushion redirect
- 77.78.104.154 - zed59sfa61v1v3es42ysn7p535453e1b9804837d42bb497bfd9deeaf.akillicihaz.com - Cushion redirect
- 85.159.214.181 - 85.159.214.181 - FlashPack EK
- 79.136.118.230 - 79.136.118.230 - Post-infection Glupteba traffic
WEBSITE AND REDIRECT CHAIN:
- 20:17:47 UTC - 172.16.165.136:49184 - 50.57.89.29:80 - www.vivedescuentos.com - GET /7506-Alisado-Keratina-o-Brasil-Cacau-Esmaltado
- 20:18:01 UTC - 172.16.165.136:49201 - 184.154.117.170:80 - apps.emol.com - GET /social/reads/js/embed_browse.js?v=123
- 20:18:01 UTC - 172.16.165.136:49201 - 184.154.117.170:80 - apps.emol.com - GET /social/reads/external_browse.html?redirect=yes&0.6414275233498099
- 20:18:01 UTC - 172.16.165.136:49201 - 184.154.117.170:80 - apps.emol.com - GET /social/reads/js/base64.js
- 20:18:02 UTC - 172.16.165.136:49225 - 77.78.104.154:80 - zed59sfa61v1v3es42ysn7p.akillicihaz.com - GET /index.php?e=anM9MSZrdW1yYWt1bz1udGpt
dXl2aXpwJnRpbWU9MTQwNzMwMTkzMDEyNzM1MzMzOTkmc3JjPTM1NCZzdXJsPWFwcHMuZW1vbC5jb20mc3BvcnQ9ODAma2V5PTExQkEwRDU1Jn
N1cmk9L3NvY2lhbC9yZWFkcy9qcy9iYXNlNjQuanM= - 20:18:03 UTC - 172.16.165.136:49233 - 77.78.104.154:80 - zed59sfa61v1v3es42ysn7p535453e1b9804837d42bb497bfd9deeaf.akillicihaz.com - GET /index2.php
FLASHPACK EK:
- 20:18:04 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/tusedy.php
- 20:18:04 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/ca9edc3.js
- 20:18:04 UTC - 172.16.165.136:49236 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lbridlingq.js
- 20:18:05 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/naloftr.php
- 20:18:05 UTC - 172.16.165.136:49236 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/qopenedp.php
- 20:18:05 UTC - 172.16.165.136:49238 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/fslammedg.php
- 20:18:05 UTC - 172.16.165.136:49237 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/sfollowedr.php
- 20:18:05 UTC - 172.16.165.136:49236 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/tcareenedn.php
- 20:18:05 UTC - 172.16.165.136:49239 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/2c9ebb8.js
- 20:18:05 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/023a55.js
- 20:18:05 UTC - 172.16.165.136:49238 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/787e6c.js
- 20:18:05 UTC - 172.16.165.136:49237 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/af0df9.js
- 20:18:05 UTC - 172.16.165.136:49240 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/b1344ef.js
- 20:18:06 UTC - 172.16.165.136:49236 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lodxscarredy.php [!]
- 20:18:09 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/ae6625.swf
- 20:18:10 UTC - 172.16.165.136:49239 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/da29ddf8.swf
- 20:18:10 UTC - 172.16.165.136:49238 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/4da414e8.swf
- 20:18:18 UTC - 172.16.165.136:49237 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lodpdanglingn.php?id=4 [!]
- 20:18:19 UTC - 172.16.165.136:49240 - 85.159.214.181;80 - 85.159.214.181 - GET /kafecodes/kholdq/lodgtodayo.php [!]
- 20:18:36 UTC - 172.16.165.136:49243 - 85.159.214.181:80 - 85.159.214.181 - GET /kafecodes/kholdq/lspinq/d479f.jar
NOTE: Items marked [!] show where the same mawlare payload was delivered three different times.
POST-INFECTION TRAFFIC:
- 20:18:14 UTC - 172.16.165.136:49241 - 79.136.118.230:49649 - GET /stat?uid=100&downlink=1111&uplink=1111&id=000563C1&statpass=bpass&version=20140728&
features=30&guid=05555432-4b9a-4677-8898-4d9b1227d5e9&comment=20140728&p=0&s= - 20:18:14 UTC - 172.16.165.136:49242 - 79.136.118.230:31632 - Glupteba post-infection traffic
- 20:19:01 UTC - 172.16.165.136:49271 - 79.136.118.230:31632 - Glupteba post-infection traffic
- 20:19:02 UTC - 172.16.165.136:49272 - 174.143.144.69:25 - attempted connection (reset by the server)
- 20:19:06 UTC - 172.16.165.136:49273 - 108.163.195.218:25 - attempted connection (reset by the server)
- 20:19:09 UTC - 172.16.165.136:49274 - 108.163.201.138:25 - attempted connection (reset by the server)
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOITS:
File name: 2014-07-30-FlashPack-EK-flash-file-01.swf
File size: 8.2 KB ( 8441 bytes )
MD5 hash: 9866d0a1b2d0f205360527d946c77bf9
Detection ratio: 2 / 53
First submission: 2014-07-24 15:55:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/77d1f577a4cd5ab0d18d8bfc17d68a8675dc64b00f0096029458c67cade81038/analysis/
File name: 2014-07-30-FlashPack-EK-flash-file-02.swf
File size: 30.8 KB ( 31523 bytes )
MD5 hash: e36b70bb2c75567c4b4b0e2f4cc362ad
Detection ratio: 0 / 54
First submission: 2014-07-24 23:13:09 UTC
VirusTotal link: https://www.virustotal.com/en/file/8acd5e17b2590cbf06d32f25bbf05cb5198d90625ab44b55c5225b1d576033ef/analysis/
File name: 2014-07-30-FlashPack-EK-flash-file-03.swf
File size: 12.3 KB ( 12591 bytes )
MD5 hash: 2ee1220d578db6b95f8824f0cb03307e
Detection ratio: 0 / 54
First submission: 2014-07-30 15:16:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/07cccaec080423f9241756bd973cb1b68ee594d8039187dd49c41a86ae44d38d/analysis/
JAVA EXPLOIT:
File name: 2014-07-30-FlashPack-EK-java-exploit.jar
File size: 30.6 KB ( 31350 bytes )
MD5 hash: a18e120035dcf62892f3f8f722a928e2
Detection ratio: 11 / 54
First submission: 2014-07-29 23:35:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/1a45e43d99dcca04191f5c286ec51993fe1e92a6d3363ae49e685968641118e5/analysis/
MALWARE PAYLOAD:
File name: 2014-07-30-FlashPack-EK-malware-payload.exe
File size: 79.1 KB ( 81036 bytes )
MD5 hash: 7ffe399a1643ab5a1b149cc4b9569d60
Detection ratio: 8 / 54
First submission: 2014-07-30 20:48:17 UTC
VirusTotal link: https://www.virustotal.com/en/file/1fb60e18b73fa3a241afee850f5f0fb3bcde19dfa27f0a2467cfbae5f80459ad/analysis/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion:
- 20:18:02 UTC - 172.16.165.136:49225 - 77.78.104.154 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
- 20:18:02 UTC - 172.16.165.136:59775 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (sid:2018276)
- 20:18:02 UTC - 172.16.165.136:59775 - 172.16.165.2:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (sid:2018275)
- 20:18:04 UTC - 172.16.165.136:49234 - 85.159.214.181:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 19, 2014 2 (sid:2808213)
- 20:18:04 UTC - 85.159.214.181:80 - 172.16.165.136:49234 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014 (sid:2018794)
- 20:18:04 UTC - 85.159.214.181:80 - 172.16.165.136:49234 - ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String (sid:2012205)
- 20:18:05 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit (sid:2018795)
- 20:18:05 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit (sid:2018796)
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
- 20:18:14 UTC - 172.16.165.136:49241 - 79.136.118.230:49649 - ET TROJAN Win32/Glupteba CnC Checkin (sid:2013293)
- 20:18:18 UTC - 172.16.165.136:49237 - 85.159.214.181:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack Possible Paylod URI Struct June 18, 2014 (sid:2808209)
Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:
- 20:18:01 UTC - 172.16.165.2:53 - 172.16.165.136:55314 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
- 20:18:05 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:23878:8] BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 20:18:06 UTC - 85.159.214.181:80 - 172.16.165.136:49236 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 20:18:14 UTC - 172.16.165.136:49241 - 79.136.118.230:49649 - [1:30977:1] MALWARE-CNC Win.Trojan.Jaik variant outbound connection
- 20:18:18 UTC - 85.159.214.181:80 - 172.16.165.136:49237 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download (x2)
- 20:18:18 UTC - 85.159.214.181:80 - 172.16.165.136:49237 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
- 20:18:18 UTC - 85.159.214.181:80 - 172.16.165.136:49237 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (x2)
- 20:18:18 UTC - 85.159.214.181:80 - 172.16.165.136:49237 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 20:18:18 UTC - 85.159.214.181:80 - 172.16.165.136:49237 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x2)
- 20:18:19 UTC - 85.159.214.181:80 - 172.16.165.136:49240 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
- 20:18:19 UTC - 85.159.214.181:80 - 172.16.165.136:49240 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
- 20:18:19 UTC - 85.159.214.181:80 - 172.16.165.136:49240 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
- 20:18:19 UTC - 85.159.214.181:80 - 172.16.165.136:49240 - [1:11192:16] FILE-EXECUTABLE download of executable content (x2)
- 20:18:19 UTC - 85.159.214.181:80 - 172.16.165.136:49240 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
CHAIN OF EVENTS FROM THE ORIGINAL WEBSITE TO FLASHPACK EK
FINAL NOTES
Once again, here are the associated files:
- ZIP of PCAP(s): 2014-07-30-FlashPack-EK-traffic.pcap.zip
- ZIP of the malware: 2014-07-30-FlashPack-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.