2014-08-30 - FLASHPACK EK FROM 188.40.249.74 - VBSAIORD.ARM.EE

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-08-30-FlashPack-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-30-FlashPack-EK-malware.zip

 

NOTES:

• FlashPack EK continues to evolve.
• People like Kafeine have already noted recent changes in this exploit kit ( link ).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 192.185.16.193 - churchleaderscampfire.com - Compromised website
• 78.110.165.237 - streamscript.com - Redirect
• 188.40.249.74 - vbsaiord.arm.ee - FlashPack EK
• 5.45.73.106 - 5.45.73.106 - FlashPack EK-related domain

 

COMPROMISED WEBSITE AND REDIRECT:

• 01:36:02 UTC - 172.16.165.133:49456 - 192.185.16.193:80 - churchleaderscampfire.com - GET /
• 01:36:04 UTC - 172.16.165.133:49463 - 78.110.165.237:80 - streamscript.com - GET /script

 

FLASHPACK EK:

• 01:36:04 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/index.php
• 01:36:05 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/js/swfobject.js
• 01:36:05 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/client_do.swf
• 01:36:06 UTC - 172.16.165.133:49490 - 5.45.73.106:80 - 5.45.73.106 - GET /victor/gate.php?id=0PojPDPAP6Pkjd6jPrPrPYPSPkPAj0djdi6rPtP6j0djdi0do6oDPtP0jddk
  d0dDjd0oPDPAP6Prooodjidojd0o6D6AjidkdkjtdjjtdjdidjjtdjdjdLjddkd6d6dijddDdidijdP0PA
• 01:36:07 UTC - 172.16.165.133:49490 - 5.45.73.106:80 - 5.45.73.106 - GET /victor/actdom.php
• 01:36:07 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/loadfla0515.php
• 01:36:08 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - POST /victor/allow.php
• 01:36:08 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/tmp/5b9e2.js
• 01:36:09 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - POST /victor/msie.php
• 01:36:09 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/tmp/36b3f10b.js
• 01:36:11 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/load20132551.php
• 01:36:20 UTC - 172.16.165.133:49498 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/tmp/06fce.jar
• 01:36:21 UTC - 172.16.165.133:49499 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/META-INF/services/javax.xml.datatype.DatatypeFactory
• 01:36:21 UTC - 172.16.165.133:49499 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/loadjimage.php?id=296
• 01:36:22 UTC - 172.16.165.133:49499 - 188.40.249.74:80 - vbsaiord.arm.ee - GET /victor/loadjimage.php?id=296/2

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-08-30-FlashPack-EK-flash-exploit.swf
File size:  43.1 KB ( 44162 bytes )
MD5 hash:  18e848c5bcfdc2a0c4c8f254b1c4ca7c
Detection ratio:  0 / 55
First submission:  2014-08-27 17:47:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/97abf9ab52df2abcddea16cf7015ec4a5322ed2338e3e428baf9143b4fb63b26/analysis/

 

SECOND FLASH EXPLOIT:

File name:  2014-08-30-FlashPack-EK-second-flash-exploit.swf
File size:  20.9 KB ( 21353 bytes )
MD5 hash:  9b945f6d19061e3ff9d69ee6c4a4fd3a
Detection ratio:  1 / 47
First submission:  2014-08-27 17:46:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dd4b73c7e3b4012c5351ede3141d94915cc8db30a5a3a4b0adafee46043df520/analysis/

 

JAVA EXPLOIT:

File name:  10.5 KB ( 10743 bytes )
File size:  10.5 KB ( 10743 bytes )
MD5 hash:  b50a4ada9f11dcdf07c3bbafa7687d79
Detection ratio:  11 / 53
First submission:  2014-08-25 09:11:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c74cf5b69897ee9e74c5b11429148addbaf153643fb7be19b5dc1c872306b8d3/analysis/

 

MALWARE PAYLOAD:

File name:  2014-08-30-FlashPack-EK-malware-payload.exe
File size:  83.5 KB ( 85504 bytes )
MD5 hash:  292f86e7f4bd65c776ab8cbc2ddba75f
Detection ratio:  5 / 51
First submission:  2014-08-29 23:09:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1ad6ed631dfdbb6b6672805af793e02e471d4359e44d2100ca85fbbba6490b84/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 01:36:04 UTC - 78.110.165.237:80 - 172.16.165.133:49463 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014 (sid:2018613)
• 01:36:04 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1 Specific (sid:2808658)
• 01:36:06 UTC - 172.16.165.133:49490 - 5.45.73.106:80 - ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014 (sid:2019005)
• 01:36:07 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
• 01:36:07 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (sid:2017813)
• 01:36:07 UTC - 188.40.249.74:80 - 172.16.165.133:49468 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 01:36:08 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25 2014 (sid:2019004)
• 01:36:08 UTC - 188.40.249.74:80 - 172.16.165.133:49468 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014 (sid:2018794)
• 01:36:08 UTC - 188.40.249.74:80 - 172.16.165.133:49468 - ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String (sid:2012205)
• 01:36:08 UTC - 188.40.249.74:80 - 172.16.165.133:49468 - ET CURRENT_EVENTS FlashPack EK JS Include Aug 25 2014 (sid:2019007)
• 01:36:08 UTC - 172.16.165.133:49468 - 188.40.249.74:80 - ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 25 2014 (sid:2019006)
• 01:36:20 UTC - 172.16.165.133:49498 - 188.40.249.74:80 - ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit (sid:2011973)
• 01:36:21 UTC - 172.16.165.133:49499 - 188.40.249.74:80 - ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps) (sid:2017579)
• 01:36:21 UTC - 172.16.165.133:49499 - 188.40.249.74:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload (sid:2019008)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

• 01:36:04.015813 192.185.16.193:80 - 172.16.165.133:49456 - [129:12:1] Consecutive TCP small segments exceeding threshold
• 01:36:06.082082 188.40.249.74 - 172.16.165.133 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 01:36:07.403899 172.16.165.133:49468 - 188.40.249.74:80 - [1:30973:3] EXPLOIT-KIT CritX exploit kit payload request
• 01:36:07.603694 188.40.249.74:80 - 172.16.165.133:various - [1:11192:16] FILE-EXECUTABLE download of executable content (x4)
• 01:36:07.603694 188.40.249.74:80 - 172.16.165.133:various - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download (x4)
• 01:36:07.603694 188.40.249.74:80 - 172.16.165.133:various - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt (x4)
• 01:36:07.603694 188.40.249.74:80 - 172.16.165.133:various - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download (x4)
• 01:36:07.603694 188.40.249.74:80 - 172.16.165.133:49468 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x2)
• 01:36:09.194012 188.40.249.74:80 - 172.16.165.133:49468 - [138:4:1] SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
• 01:36:09.194012 188.40.249.74:80 - 172.16.165.133:49468 - [1:30966:1] EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit
• 01:36:21.920586 188.40.249.74:80 - 172.16.165.133:49499 - [1:25042:3] EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (x2)

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect pointing to FlashPack EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-08-30-FlashPack-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-08-30-FlashPack-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.