Fake Flash Update delivers Tor Bot and more

NOTES:

• Today after being redirected by a compromised site, I captured traffic from a fake Flash update. This did not exploit Flash. I thought it interesting because a similar infection was delivered yesterday by the Rig Exploit Kit via the EiTest campaign.
• Yesterdays Exploit Kit infection at malware-traffic-analysis.net .
• The malicious payload is hosted on dropbox.com.
• Emerging Threats Rule Set alerts to a possible Qadars CnC communication.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-09-01-Flash-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

• 85.25.95.39 – 4lmbkpqrklqv.net – REDIRECT GATE
• 69.64.36.212 – adobe-secur-update.com – PHISHING SITE
• 45.58.74.165 – dl.dropboxusercontent.com [dropbox.com] – MALICIOUS PAYLOAD
• 176.189.232.3 – j8le7s5q745e.org – POSSIBLE Qadars CnC
• 62.75.207.97 – konektyfor.com – POSSIBLE Qadars CnC

DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with initial infection prior to executing fake Flash update file

Shown above: Phishing website displaying fake Flash update

Shown above: Script found on index page of compromised site redirecting jstats.php.

Shown above: Script found on compromised site redirecting to malicious redirect gate.

Shown above: Script found on malicious gate redirecting to phishing website

Shown above: Script found on phishing page directing to www.dropbox.com where malicious payload is hosted

Shown above: DNS traffic associated with infection

Shown above: Some alerts generated by Emerging Threats Rule Set

MALICIOUS PAYLOADS:

• 2016-09-01-flashplayer22_me_install.exe
  Hybrid-Analysis Link
• 2016-09-01-ierkmffjq.NgEWVi  – [154 MB]
  C:\Users\%UserName%\AppData\Roaming\{523B4DE4-24B0-9C76-A8C6-2FD51DC6F052}
  SHA256: 2ADF560B123803FDDF836697AEFE452F18079779DFF3242CED4ABBCD71FC38B5