2014-08-08 - FLASHPACK EK FROM 77.78.104[.]96 - 6MUY8SQJBPWDYU1W15V11FW.CASAECLECTICA[.]COM[.]MX

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-08-08-FlashPack-EK-traffic.pcap.zip
• 2014-08-08-FlashPack-EK-malware.zip

NOTES:

• More FlashPack EK traffic that's part of of Operation Windigo delivering a Glupteba-style payload.
• The Flash exploits are the same as the last week or two.
• For more information about Operation Windigo, ESET published a report avaialable here.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 77.78.104[.]96 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - FlashPack EK
• 192.71.151[.]14 - no domain name - Glupteba callback traffic

FLASHPACK EK:

• 14:01:01 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /index.php?f=bWlzemV5aD1tcXlkaH
  MmdGltZT0xNDA4MDgxMTE4ODIzMDk5MjE5JnNyYz0xNzcmc3VybD13d3cucHJpbWVoZWFsdGhjaGFubmVsLmNvbSZzcG9ydD04MCZrZXk9QjM3RjFFQ
  kMmc3VyaT0v
• 14:01:03 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw717753ed9df972e20c82399c210b4a0bd.casaeclectica[.]com[.]mx -
  GET /index2.php
• 14:01:05 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/cchipse.php
• 14:01:06 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/cjetsb.js
• 14:01:06 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/e5326.js
• 14:01:10 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/xbaldingg.php
• 14:01:10 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/cspottedf.php
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/bdraineda.php
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/runceasingr.php
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/ppanelj.php
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/a56a56a.js
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/3964a5.js
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/e728b0d.js
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/f08bb.js
• 14:01:11 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/b9273.js
• 14:01:13 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lodomeantf.php
• 14:01:20 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/f989e14a.swf
• 14:01:24 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/76599fd6.swf
• 14:01:24 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lspinq/5c67118.swf
• 14:01:26 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lodgstiffn.php?id=4
• 14:02:48 UTC - 77.78.104[.]96:80 - 6muy8sqjbpwdyu1w15v11fw.casaeclectica[.]com[.]mx - GET /kafecodes/kholdq/lodewhatsp.php

POST-INFECTION REDIRECT TO ADULTFRIENDFINDER[.]COM:

• 14:01:29 UTC - 77.78.104[.]96:80 - fxiy9gdlb8mlwe2j9496di9.ankaraescort[.]biz - GET /adsort.php?yy=1&aid=2&atr=exts&src=177
• 14:01:30 UTC - 77.78.104[.]96:80 - fxiy9gdlb8mlwe2j9496di9.ankaraescort[.]biz - GET /4/
• 14:01:31 UTC - 208.88.180[.]72:80 - adultfriendfinder[.]com - GET /go/p1011105.subdirs
• 14:01:32 UTC - 208.88.180[.]72:80 - adultfriendfinder[.]com - GET /go/page/landing_page_ffadult_43?pid=p1011105.subdirs&ip=
  auto&no_click=1&alpo_redirect=1

POST-INFECTION TRAFFIC FROM GLUPTEBA MALWARE:

• 14:01:30 UTC - 192.71.151[.]14:60541 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0004BC1D&statpass=bpass&version=
  20140802&features=30&guid=77588e17-f9d1-4935-ba3b-5c2ef9a23361&comment=20140802&p=0&s=
• 14:01:30 UTC - 192.71.151[.]14:19399 - Glupteba callback traffic
• 14:02:32 UTC - 192.71.151[.]14 - Glupteba callback traffic
• 14:02:34 UTC - 173.194.112[.]116:80 - www.google[.]com - GET /robots.txt
• 14:02:35 UTC - 174.143.144[.]69:25 - attempted connection (RST by server)
• 14:02:38 UTC - 108.163.195[.]218:25 - attempted connection (RST by server)
• 14:02:41 UTC - 184.154.68[.]186:25 - attempted connection (RST by server)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-08-08-FlashPack-EK-flash-exploit-01.swf
File size:  8,441 bytes
MD5 hash:  9866d0a1b2d0f205360527d946c77bf9
Detection ratio:  15 / 54
First submission:  2014-07-24 15:55:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/77d1f577a4cd5ab0d18d8bfc17d68a8675dc64b00f0096029458c67cade81038/analysis/

File name:  2014-08-08-FlashPack-EK-flash-exploit-02.swf
File size:  31,523 bytes
MD5 hash:  e36b70bb2c75567c4b4b0e2f4cc362ad
Detection ratio:  13 / 54
First submission:  2014-07-24 23:13:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8acd5e17b2590cbf06d32f25bbf05cb5198d90625ab44b55c5225b1d576033ef/analysis/

File name:  2014-08-08-FlashPack-EK-flash-exploit-03.swf
File size:  12,591 bytes
MD5 hash:  2ee1220d578db6b95f8824f0cb03307e
Detection ratio:  13 / 54
First submission:  2014-07-30 15:16:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/07cccaec080423f9241756bd973cb1b68ee594d8039187dd49c41a86ae44d38d/analysis/

 

MALWARE PAYLOAD

File name:  2014-08-08-FlashPack-EK-malware-payload.exe
File size:  80,648 bytes
MD5 hash:  1f28d45f67c10ca73651cc88c5e7a872
Detection ratio:  7 / 54
First submission:  2014-08-08 15:21:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4600396a62bd5f439e3ab6874943ed9f72371b6d01dbe45de3f7000a85b2e03b/analysis/

 

ALERTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 14:01:01 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
• 14:01:05 UTC - 77.78.104[.]96:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 19, 2014 2 (sid:2808213)
• 14:01:05 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014 (sid:2018794)
• 14:01:06 UTC - 77.78.104[.]96:80 - ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String (sid:2012205)
• 14:01:09 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit (sid:2018795)
• 14:01:09 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit (sid:2018797)
• 14:01:09 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit (sid:2018796)
• 14:01:13 UTC - 77.78.104[.]96:80 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 14:01:26 UTC - 77.78.104[.]96:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack Possible Paylod URI Struct June 18, 2014 (sid:2808209)
• 14:01:30 UTC - 192.71.151[.]14:60541 - ET TROJAN Win32/Glupteba CnC Checkin (sid:2013293)

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 14:01:01 UTC - [localhost]:53 - [1:254:15] PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (x5)
• 14:01:07 UTC - 77.78.104[.]96:80 - [1:23878:8] BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt
• 14:01:13 UTC - 77.78.104[.]96:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:01:13 UTC - 77.78.104[.]96:80 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:01:13 UTC - 77.78.104[.]96:80 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:01:13 UTC - 77.78.104[.]96:80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:01:13 UTC - 77.78.104[.]96:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 14:01:30 UTC - 192.71.151[.]14:60541 - [1:30977:1] MALWARE-CNC Win.Trojan.Jaik variant outbound connection
• 14:01:30 UTC - 77.78.104[.]96:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:01:30 UTC - 77.78.104[.]96:80 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:01:30 UTC - 77.78.104[.]96:80 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:01:30 UTC - 77.78.104[.]96:80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:01:30 UTC - 77.78.104[.]96:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 14:01:31 UTC - 192.71.151[.]14:19399 - [1:31603:1] MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client
• 14:01:31 UTC - 192.71.151[.]14:19399 - [1:31607:1] MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server
• 14:01:32 UTC - 192.71.151[.]14:19399 - [1:31604:1] MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (x2)
• 14:02:33 UTC - 192.71.151[.]14:19399 - [1:31603:1] MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client
• 14:02:33 UTC - 192.71.151[.]14:19399 - [1:31605:1] MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client
• 14:02:49 UTC - 77.78.104[.]96:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 14:02:49 UTC - 77.78.104[.]96:80 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 14:02:49 UTC - 77.78.104[.]96:80 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 14:02:49 UTC - 77.78.104[.]96:80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 14:02:49 UTC - 77.78.104[.]96:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

Click here to return to the main page.