2014-10-30 - FLASHPACK EK FROM 188.227.172.106 - KETHANLINGTORO.EU
ASSOCIATED FILES:
- ZIP of the pcap: 2014-10-30-FlashPack-EK-traffic.pcap.zip
- ZIP of the malware: 2014-10-30-FlashPack-EK-malware.zip
- ZIP of PCAP from anlaysis of the malware payload on malwr.com: 2014-10-30-FlashPack-EK-malware-payload-malwr.com-analysis.pcap.zip
NOTES:
- It's been a while since I've seen FlashPack EK--or Flash EK, as Kafeine calls it (link).
- Today, this exploit kit used the CVE-2014-0569 Flash exploit.
- For more information on how CVE-2014-0569 is being used in exploit kits, see: http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 175.107.131.91 - www.betashares.com.au - Compromised website
- 78.110.165.237 - findnewlink.com - Redirect
- 188.227.172.106 - kethanlingtoro.eu - Flashpack EK
COMPROMISED WEBSITE:
- 2014-10-30 01:39:50 UTC - 172.16.165.132:49179 - 175.107.131.91:80 - www.betashares.com.au - GET /
EVIL EK REDIRECTOR:
- 2014-10-30 01:39:55 UTC - 172.16.165.132:49196 - 78.110.165.237:80 - findnewlink.com - GET /find
FLASHPACK EK:
- 2014-10-30 01:40:02 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/index.php
- 2014-10-30 01:40:06 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/js/swfobject.js
- 2014-10-30 01:40:09 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/banner.swf
- 2014-10-30 01:40:14 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - POST /xs3884y132186/gate.php
- 2014-10-30 01:40:15 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/Main.swf
- 2014-10-30 01:40:29 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/lofla1.php
MALWR.COM ANALYSIS OF MALWARE PAYLOAD:
- 2014-10-30 02:14:09 UTC - 192.168.56.103:1025 - 192.168.56.1:53 - DNS query for: facebook.com (resolved to 173.252.120.6)
- 2014-10-30 02:14:09 UTC - 192.168.56.103:1056 - 173.252.120.6:80 - TCP connection established to Facebook IP, but no data passed
- 2014-10-30 02:14:09 UTC - 192.168.56.103:1025 - 192.168.56.1:53 - DNS query for: qygerdibkyuhw.com (No such name)
- 2014-10-30 02:14:09 UTC - 192.168.56.103:1057 - 192.168.56.1:53 - DNS query for: alivkcvcxg.com (No such name)
- 2014-10-30 02:14:09 UTC - 192.168.56.103:1058 - 192.168.56.1:53 - DNS query for: smuzjkvwtpofsq.com (No such name)
Whois shows 173.252.120.6 is registered to Facebook (link).
PRELIMINARY MALWARE ANALYSIS
CVE-2014-0569 FLASH EXPLOIT:
File name: Main.swf
File size: 46.2 KB ( 47292 bytes )
MD5 hash: 93bd68ff7112244d19030d360e9b2108
Detection ratio: 4 / 54
First submission: 2014-10-28 21:12:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/9af76a641b509543632504c6335e7fcf426293b6b8b4a104c109a1a76dc8efae/analysis/
MALWARE PAYLOAD:
File name: 2014-10-30-FlashPack-EK-malware-payload.exe
File size: 91.0 KB ( 93184 bytes )
MD5 hash: b47f9975477c9e34888715790fef904e
Detection ratio: 5 / 53
First submission: 2014-10-30 01:58:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/d3314440e36606373c67cd88f12596ea51adf3e2c22e1d0c8cff58954fed194f/analysis/
Malwr link: https://malwr.com/analysis/NmJlOGNkMzM2MGY5NDA3YTk4NzYzNjRmNTUyNDliNGE/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- 188.227.172.106:80 - 172.16.165.132:49196 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014 (sid:2018613)
- 172.16.165.132:49199 - 188.227.172.106:80 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post (sid:2019594)
- 188.227.172.106:80 - 172.16.165.132:49199 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29 (sid:2019596)
- 172.16.165.132:49199 - 188.227.172.106:80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
- 172.16.165.132:49199 - 188.227.172.106:80 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29 (sid:2019595)
- 188.227.172.106:80 - 172.16.165.132:49199 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
- 188.227.172.106:80 - 172.16.165.132:49199 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not includeing preprocessor events):
- 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
- 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
- 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
- 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
SCREENSHOTS FROM THE TRAFFIC
Malicious javascript from compromised website pointing to the redirect/gate:
Redirect pointing to the FlashPack EK landing page:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-10-30-FlashPack-EK-traffic.pcap.zip
- ZIP of the malware: 2014-10-30-FlashPack-EK-malware.zip
- ZIP of PCAP from anlaysis of the malware payload on malwr.com: 2014-10-30-FlashPack-EK-malware-payload-malwr.com-analysis.pcap.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.