Friday, February 27, 2015

Interesting event

Hi all.

I was not expectingto write this post today, I am still prepping for the SANS 560 course by studying programming. Slowly but surely I am getting it thanks to a combination of the Intro to programming course from Infinite Skills, and a series of courses from Udemy.

However while I was browsing the internet today I was on a website of dubious nature. Naturally when I clicked 'there to watch" I was redirected to If that doesn't look suspicious right? being the interested body i am, I fired up a PC and started doing some analysis.

As of now, the site is scanning clean all day

I'll try to keep this short, the website displays a popup on entry (in i.e) saying the user needs to update their flash player. Thats strike 2 for danger. There is an element on the page which my browser did not display, I need to find out what it is. in any case, clicking some of the links will send you to a subpage that ends in /NATakplayer2.US.html. I have not yet done analysis on this page, but VT has a scan of the page. Of note, the page mentions at the bottom, that they are not offering the original adobe file, and that their download may include additional software...

clicking the install button sends the user to 

And the user gets a file, mediaplayer_setup.exe (note, file is digitally signed by InstallX, LLC) MD5 74DD09FAA1E0B1FD4A19B0C233926C05

I performed static analysis of the file, as well as uploading it to some sites including MALWR and VT, it appears its new to them

The PCAP I took was uploaded to VT and generated some alerts:

In the end the file possibly had some anti-WM and Anti-debugging technologies so I decided for an automated analysis over running the malware dynamically. In any case we see the exe has some hooking functionality, drops numerous files (mainly zip files) some outbound traffic, and at the very least offer's the user the opportunity to download some additional crapware.

See you guys around.

1 comment:

  1. What page were you on when you were redirected to the suspicious page?