2014-10-30 - FLASHPACK EK FROM 188.227.172.106 - KETHANLINGTORO.EU

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-30-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-30-FlashPack-EK-malware.zip
• ZIP of PCAP from anlaysis of the malware payload on malwr.com:  2014-10-30-FlashPack-EK-malware-payload-malwr.com-analysis.pcap.zip

 

NOTES:

• It's been a while since I've seen FlashPack EK--or Flash EK, as Kafeine calls it (link).
• Today, this exploit kit used the CVE-2014-0569 Flash exploit.
• For more information on how CVE-2014-0569 is being used in exploit kits, see:  http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 175.107.131.91 - www.betashares.com.au - Compromised website
• 78.110.165.237 - findnewlink.com - Redirect
• 188.227.172.106 - kethanlingtoro.eu - Flashpack EK

 

COMPROMISED WEBSITE:

• 2014-10-30 01:39:50 UTC - 172.16.165.132:49179 - 175.107.131.91:80 - www.betashares.com.au - GET /

 

EVIL EK REDIRECTOR:

• 2014-10-30 01:39:55 UTC - 172.16.165.132:49196 - 78.110.165.237:80 - findnewlink.com - GET /find

 

FLASHPACK EK:

• 2014-10-30 01:40:02 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/index.php
• 2014-10-30 01:40:06 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/js/swfobject.js
• 2014-10-30 01:40:09 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/banner.swf
• 2014-10-30 01:40:14 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - POST /xs3884y132186/gate.php
• 2014-10-30 01:40:15 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/Main.swf
• 2014-10-30 01:40:29 UTC - 172.16.165.132:49199 - 188.227.172.106:80 - kethanlingtoro.eu - GET /xs3884y132186/lofla1.php

 

MALWR.COM ANALYSIS OF MALWARE PAYLOAD:

• 2014-10-30 02:14:09 UTC - 192.168.56.103:1025 - 192.168.56.1:53 - DNS query for: facebook.com (resolved to 173.252.120.6)
• 2014-10-30 02:14:09 UTC - 192.168.56.103:1056 - 173.252.120.6:80 - TCP connection established to Facebook IP, but no data passed
• 2014-10-30 02:14:09 UTC - 192.168.56.103:1025 - 192.168.56.1:53 - DNS query for: qygerdibkyuhw.com (No such name)
• 2014-10-30 02:14:09 UTC - 192.168.56.103:1057 - 192.168.56.1:53 - DNS query for: alivkcvcxg.com (No such name)
• 2014-10-30 02:14:09 UTC - 192.168.56.103:1058 - 192.168.56.1:53 - DNS query for: smuzjkvwtpofsq.com (No such name)

Whois shows 173.252.120.6 is registered to Facebook (link).

 

PRELIMINARY MALWARE ANALYSIS

CVE-2014-0569 FLASH EXPLOIT:

File name:  Main.swf
File size:  46.2 KB ( 47292 bytes )
MD5 hash:  93bd68ff7112244d19030d360e9b2108
Detection ratio:  4 / 54
First submission:  2014-10-28 21:12:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9af76a641b509543632504c6335e7fcf426293b6b8b4a104c109a1a76dc8efae/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-30-FlashPack-EK-malware-payload.exe
File size:  91.0 KB ( 93184 bytes )
MD5 hash:  b47f9975477c9e34888715790fef904e
Detection ratio:  5 / 53
First submission:  2014-10-30 01:58:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d3314440e36606373c67cd88f12596ea51adf3e2c22e1d0c8cff58954fed194f/analysis/
Malwr link:  https://malwr.com/analysis/NmJlOGNkMzM2MGY5NDA3YTk4NzYzNjRmNTUyNDliNGE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 188.227.172.106:80 - 172.16.165.132:49196 - ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014 (sid:2018613)
• 172.16.165.132:49199 - 188.227.172.106:80 - ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post (sid:2019594)
• 188.227.172.106:80 - 172.16.165.132:49199 - ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29 (sid:2019596)
• 172.16.165.132:49199 - 188.227.172.106:80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)
• 172.16.165.132:49199 - 188.227.172.106:80 - ET CURRENT_EVENTS FlashPack Payload Download Oct 29 (sid:2019595)
• 188.227.172.106:80 - 172.16.165.132:49199 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 188.227.172.106:80 - 172.16.165.132:49199 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not includeing preprocessor events):

• 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:24791:3] EXPLOIT-KIT CritX exploit kit Portable Executable download
• 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:29167:1] EXPLOIT-KIT CritX exploit kit payload download attempt
• 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:28593:1] EXPLOIT-KIT Multiple exploit kit payload download
• 2014-10-30 01:40:30 UTC - 188.227.172.106:80 - 172.16.165.132:49199 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website pointing to the redirect/gate:

 

Redirect pointing to the FlashPack EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-30-FlashPack-EK-traffic.pcap.zip
• ZIP of the malware:  2014-10-30-FlashPack-EK-malware.zip
• ZIP of PCAP from anlaysis of the malware payload on malwr.com:  2014-10-30-FlashPack-EK-malware-payload-malwr.com-analysis.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.