2014-08-08 - FLASHPACK EK FROM 77.78.104.96 - 6MUY8SQJBPWDYU1W15V11FW.CASAECLECTICA.COM.MX

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-08-08-FlashPack-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-08-FlashPack-EK-malware.zip

NOTES:

• More FlashPack EK traffic that's part of of Operation Windigo delivering a Glupteba-style payload.
• The Flash exploits are the same as the last week or two.
• For more information about Operation Windigo, ESET published a report avaialable here.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 77.78.104.96 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - FlashPack EK
• 192.71.151.14 - no domain name - Glupteba callback traffic

FLASHPACK EK:

• 14:01:01 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /index.php?f=bWlzemV5aD1tcXlkaH
  MmdGltZT0xNDA4MDgxMTE4ODIzMDk5MjE5JnNyYz0xNzcmc3VybD13d3cucHJpbWVoZWFsdGhjaGFubmVsLmNvbSZzcG9ydD04MCZrZXk9QjM3RjFFQ
  kMmc3VyaT0v
• 14:01:03 UTC - 192.168.204.141:49178 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw717753ed9df972e20c82399c210b4a0bd.casaeclectica.com.mx -
  GET /index2.php
• 14:01:05 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/cchipse.php
• 14:01:06 UTC - 192.168.204.141:49179 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/cjetsb.js
• 14:01:06 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/e5326.js
• 14:01:10 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/xbaldingg.php
• 14:01:10 UTC - 192.168.204.141:49179 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/cspottedf.php
• 14:01:11 UTC - 192.168.204.141:49180 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/bdraineda.php
• 14:01:11 UTC - 192.168.204.141:49181 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/runceasingr.php
• 14:01:11 UTC - 192.168.204.141:49179 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/ppanelj.php
• 14:01:11 UTC - 192.168.204.141:49182 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/a56a56a.js
• 14:01:11 UTC - 192.168.204.141:49183 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/3964a5.js
• 14:01:11 UTC - 192.168.204.141:49180 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/e728b0d.js
• 14:01:11 UTC - 192.168.204.141:49181 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/f08bb.js
• 14:01:11 UTC - 192.168.204.141:49179 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/b9273.js
• 14:01:13 UTC - 192.168.204.141:49182 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lodomeantf.php
• 14:01:20 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/f989e14a.swf
• 14:01:24 UTC - 192.168.204.141:49183 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/76599fd6.swf
• 14:01:24 UTC - 192.168.204.141:49180 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lspinq/5c67118.swf
• 14:01:26 UTC - 192.168.204.141:49181 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lodgstiffn.php?id=4
• 14:02:48 UTC - 192.168.204.141:49193 - 77.78.104.96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica.com.mx - GET /kafecodes/kholdq/lodewhatsp.php

POST-INFECTION REDIRECT TO ADULTFRIENDFINDER.COM:

• 14:01:29 UTC - 192.168.204.141:49184 - 77.78.104.96:80 - fxiy9gdlb8mlwe2j9496di9.ankaraescort.biz - GET /adsort.php?yy=1&aid=2&atr=exts&src=177
• 14:01:30 UTC - 192.168.204.141:49184 - 77.78.104.96:80 - fxiy9gdlb8mlwe2j9496di9.ankaraescort.biz - GET /4/
• 14:01:31 UTC - 192.168.204.141:49187 - 208.88.180.72:80 - adultfriendfinder.com - GET /go/p1011105.subdirs
• 14:01:32 UTC - 192.168.204.141:49187 - 208.88.180.72:80 - adultfriendfinder.com - GET /go/page/landing_page_ffadult_43?pid=p1011105.subdirs&ip=
  auto&no_click=1&alpo_redirect=1

 

POST-INFECTION TRAFFIC FROM GLUPTEBA MALWARE:

• 14:01:30 UTC - 192.168.204.141:49185 - 192.71.151.14:60541 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0004BC1D&statpass=bpass&version=
  20140802&features=30&guid=77588e17-f9d1-4935-ba3b-5c2ef9a23361&comment=20140802&p=0&s=
• 14:01:30 UTC - 192.168.204.141:49186 - 192.71.151.14:19399 - Glupteba callback traffic
• 14:02:32 UTC - 192.168.204.141:49189 - 192.71.151.14 - Glupteba callback traffic
• 14:02:34 UTC - 192.168.204.141:49188 - 173.194.112.116:80 - www.google.com - GET /robots.txt
• 14:02:35 UTC - 192.168.204.141:49190 - 174.143.144.69:25 - attempted connection (RST by server)
• 14:02:38 UTC - 192.168.204.141:49191 - 108.163.195.218:25 - attempted connection (RST by server)
• 14:02:41 UTC - 192.168.204.141:49192 - 184.154.68.186:25 - attempted connection (RST by server)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-08-08-FlashPack-EK-flash-exploit-01.swf
File size:  8.2 KB ( 8441 bytes )
MD5 hash:  9866d0a1b2d0f205360527d946c77bf9
Detection ratio:  15 / 54
First submission:  2014-07-24 15:55:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/77d1f577a4cd5ab0d18d8bfc17d68a8675dc64b00f0096029458c67cade81038/analysis/

 

File name:  2014-08-08-FlashPack-EK-flash-exploit-02.swf
File size:  30.8 KB ( 31523 bytes )
MD5 hash:  e36b70bb2c75567c4b4b0e2f4cc362ad
Detection ratio:  13 / 54
First submission:  2014-07-24 23:13:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8acd5e17b2590cbf06d32f25bbf05cb5198d90625ab44b55c5225b1d576033ef/analysis/

 

File name:  2014-08-08-FlashPack-EK-flash-exploit-03.swf
File size:  12.3 KB ( 12591 bytes )
MD5 hash:  2ee1220d578db6b95f8824f0cb03307e
Detection ratio:  13 / 54
First submission:  2014-07-30 15:16:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/07cccaec080423f9241756bd973cb1b68ee594d8039187dd49c41a86ae44d38d/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-08-FlashPack-EK-malware-payload.exe
File size:  78.8 KB ( 80648 bytes )
MD5 hash:  1f28d45f67c10ca73651cc88c5e7a872
Detection ratio:  7 / 54
First submission:  2014-08-08 15:21:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4600396a62bd5f439e3ab6874943ed9f72371b6d01dbe45de3f7000a85b2e03b/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 14:01:01 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
• 14:01:05 UTC - 192.168.204.141:49177 - 77.78.104.96:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 19, 2014 2 (sid:2808213)
• 14:01:05 UTC - 77.78.104.96:80 - 192.168.204.141:49177 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014 (sid:2018794)
• 14:01:06 UTC - 77.78.104.96:80 - 192.168.204.141:49177 - ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String (sid:2012205)
• 14:01:09 UTC - 77.78.104.96:80 - 192.168.204.141:49179 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit (sid:2018795)
• 14:01:09 UTC - 77.78.104.96:80 - 192.168.204.141:49179 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit (sid:2018797)
• 14:01:09 UTC - 77.78.104.96:80 - 192.168.204.141:49179 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit (sid:2018796)
• 14:01:13 UTC - 77.78.104.96:80 - 192.168.204.141:49182 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 14:01:26 UTC - 192.168.204.141:49181 - 77.78.104.96:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack Possible Paylod URI Struct June 18, 2014 (sid:2808209)
• 14:01:30 UTC - 192.168.204.141:49185 - 192.71.151.14:60541 - ET TROJAN Win32/Glupteba CnC Checkin (sid:2013293)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 14:01:01 UTC - 192.168.204.2:53 -> 192.168.204.141:various - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (x5)
• 14:01:07 UTC - 77.78.104.96:80 -> 192.168.204.141:49179 - [1:23878:8] BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt
• 14:01:13 UTC - 77.78.104.96:80 -> 192.168.204.141:49182 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:01:13 UTC - 77.78.104.96:80 -> 192.168.204.141:49182 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:01:13 UTC - 77.78.104.96:80 -> 192.168.204.141:49182 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:01:13 UTC - 77.78.104.96:80 -> 192.168.204.141:49182 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:01:13 UTC - 77.78.104.96:80 -> 192.168.204.141:49182 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 14:01:30 UTC - 192.168.204.141:49185 -> 192.71.151.14:60541 - [1:30977:1] MALWARE-CNC Win.Trojan.Jaik variant outbound connection
• 14:01:30 UTC - 77.78.104.96:80 -> 192.168.204.141:49181 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:01:30 UTC - 77.78.104.96:80 -> 192.168.204.141:49181 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:01:30 UTC - 77.78.104.96:80 -> 192.168.204.141:49181 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:01:30 UTC - 77.78.104.96:80 -> 192.168.204.141:49181 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:01:30 UTC - 77.78.104.96:80 -> 192.168.204.141:49181 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 14:01:31 UTC - 192.71.151.14:19399 -> 192.168.204.141:49186 - [1:31603:1] MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client
• 14:01:31 UTC - 192.168.204.141:49186 -> 192.71.151.14:19399 - [1:31607:1] MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server
• 14:01:32 UTC - 192.71.151.14:19399 -> 192.168.204.141:49186 - [1:31604:1] MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (x2)
• 14:02:33 UTC - 192.71.151.14:19399 -> 192.168.204.141:49189 - [1:31603:1] MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client
• 14:02:33 UTC - 192.71.151.14:19399 -> 192.168.204.141:49189 - [1:31605:1] MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client
• 14:02:49 UTC - 77.78.104.96:80 -> 192.168.204.141:49193 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:02:49 UTC - 77.78.104.96:80 -> 192.168.204.141:49193 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:02:49 UTC - 77.78.104.96:80 -> 192.168.204.141:49193 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:02:49 UTC - 77.78.104.96:80 -> 192.168.204.141:49193 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:02:49 UTC - 77.78.104.96:80 -> 192.168.204.141:49193 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-08-08-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-08-08-FlashPack-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.