2017-05-04 - DECIMAL IP CAMPAIGN USES FAKE ADOBE FLASH PLAYER SITE TO SEND SMOKE LOADER

ASSOCIATED FILES:

  • 2017-04-25-Smoke-Loader-post-infection-traffic.pcap   (330,328 bytes)
  • 2017-05-04-fake-Adobe-Flash-player-site.pcap   (1,066,302 bytes)
  • flashplayer24pp_id_install.exe   (148,992 bytes)

NOTES:


Shown above:  Using the Decimal IP url from Zerophage blog post about the Decimal IP campaign.

 

TRAFFIC


Shown above:  Traffic from the fake Flash Player site filtered in Wireshark.

 

FAKE ADOBE FLASH PLAYER SITE AND DOWNLOAD URL FOR SMOKELOADER ON 2017-05-04:

 

POST-INFECTION TRAFFIC FROM SAME SMOKELOADER SAMPLE ON 2017-04-25:

 

FILE HASHES

FAKE FLASH PLAYER INSTALLER (SMOKE LOADER):


Shown above:  Smoke Loader sample from 2017-05-04 was around as early as 2017-04-25.

 

IMAGES


Shown above:  Post-infection traffic caused by the Smoke Loader sample from a pcap dated 2017-04-25.

 


Shown above:  Some alerts on both pcaps from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.