2014-10-30 - FLASHPACK EK FROM 188.227.172[.]106 - KETHANLINGTORO[.]EU
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-10-30-FlashPack-EK-traffic.pcap.zip
- 2014-10-30-FlashPack-EK-malware.zip
- 2014-10-30-FlashPack-EK-malware-payload-sandbox-analysis.pcap.zip
NOTES:
- It's been a while since I've seen FlashPack EK--or Flash EK, as Kafeine calls it (link).
- Today, this exploit kit used the CVE-2014-0569 Flash exploit.
- For more information on how CVE-2014-0569 is being used in exploit kits, see: https://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 175.107.131[.]91 - www.betashares[.]com[.]au - Compromised website
- 78.110.165[.]237 - findnewlink[.]com - Redirect
- 188.227.172[.]106 - kethanlingtoro[.]eu - Flashpack EK
COMPROMISED WEBSITE:
- 2014-10-30 01:39:50 UTC - 175.107.131[.]91:80 - www.betashares[.]com[.]au - GET /
EVIL EK REDIRECTOR:
- 2014-10-30 01:39:55 UTC - 78.110.165[.]237:80 - findnewlink[.]com - GET /find
FLASHPACK EK:
- 2014-10-30 01:40:02 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - GET /xs3884y132186/index.php
- 2014-10-30 01:40:06 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - GET /xs3884y132186/js/swfobject.js
- 2014-10-30 01:40:09 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - GET /xs3884y132186/banner.swf
- 2014-10-30 01:40:14 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - POST /xs3884y132186/gate.php
- 2014-10-30 01:40:15 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - GET /xs3884y132186/Main.swf
- 2014-10-30 01:40:29 UTC - 188.227.172[.]106:80 - kethanlingtoro[.]eu - GET /xs3884y132186/lofla1.php
SANDBOX ANALYSIS OF MALWARE PAYLOAD:
- 2014-10-30 02:14:09 UTC - [internal host]:53 - DNS query for: facebook.com (resolved to 173.252.120[.]6)
- 2014-10-30 02:14:09 UTC - 173.252.120[.]6:80 - TCP connection established to Facebook IP address, but no data passed
- 2014-10-30 02:14:09 UTC - [internal host]:53 - DNS query for: qygerdibkyuhw[.]com (No such name)
- 2014-10-30 02:14:09 UTC - [internal host]:53 - DNS query for: alivkcvcxg[.]com (No such name)
- 2014-10-30 02:14:09 UTC - [internal host]:53 - DNS query for: smuzjkvwtpofsq[.]com (No such name)
Whois shows 173.252.120[.]6 is registered to Facebook (link).
PRELIMINARY MALWARE ANALYSIS
CVE-2014-0569 FLASH EXPLOIT:
File name: Main.swf
File size: 47,292 bytes
MD5 hash: 93bd68ff7112244d19030d360e9b2108
Detection ratio: 4 / 54
First submission: 2014-10-28 21:12:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/9af76a641b509543632504c6335e7fcf426293b6b8b4a104c109a1a76dc8efae/analysis/
MALWARE PAYLOAD:
File name: 2014-10-30-FlashPack-EK-malware-payload.exe
File size: 93,184 bytes
MD5 hash: b47f9975477c9e34888715790fef904e
Detection ratio: 5 / 53
First submission: 2014-10-30 01:58:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/d3314440e36606373c67cd88f12596ea51adf3e2c22e1d0c8cff58954fed194f/analysis/
SIGNATURE EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- 188.227.172[.]106:80 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014 (sid:2018613)
- 188.227.172[.]106:80 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post (sid:2019594)
- 188.227.172[.]106:80 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29 (sid:2019596)
- 188.227.172[.]106:80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
- 188.227.172[.]106:80 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29 (sid:2019595)
- 188.227.172[.]106:80 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
- 188.227.172[.]106:80 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not includeing preprocessor events):
- 2014-10-30 01:40:30 UTC - 188.227.172[.]106:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-30 01:40:30 UTC - 188.227.172[.]106:80 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
- 2014-10-30 01:40:30 UTC - 188.227.172[.]106:80 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
- 2014-10-30 01:40:30 UTC - 188.227.172[.]106:80 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
- 2014-10-30 01:40:30 UTC - 188.227.172[.]106:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
SCREENSHOTS FROM THE TRAFFIC
Malicious javascript from compromised website pointing to the redirect/gate:
Redirect pointing to the FlashPack EK landing page:
Click here to return to the main page.