Malware that spreads via Facebook | Joachim De Zutter
February 2014

Webpage at dl.dropboxusercontent.com redirected to a webpage at downcdn.com which redirected to a webpage at *.amazonaws.com

Filename: FlashPlugin.exe
Filesize: 233472 bytes
MD5: 152cf27ca00d0632927fe9c1bfae765a
SHA1: 9759946675228e0305c2564de3c409dafe3aa225
SHA256: 2521d7f81375790ff9296bb8c487860a9428b2a47dc185102d7f82eba1857915

Created a files named PreferencesNew, background.js and manifest.json.
Opened local UDP ports 1073, 1075 and 1077.
Opened an HTTP connection with 108.162.197.162 on port 80.
Opened local TCP port 1027.

Filename: background.js
Filesize: 887 bytes
MD5: cec585e10288cb4ab427e6127bf44905
SHA1: aa9edac9d04cd5f5ac6368758ada6113f3ca199f
SHA256: 5ff7f7a53598e7b51880659d5986ce7e32d688c61e2d4684a0b1adcb0fc453fb

Filename: manifest.json
Filesize: 535 bytes
MD5: c85859fec422983b981e3c37394efb48
SHA1: 8929a6d35c97c577ea6b33871a418d33363928e0
SHA256: 415ca3cd18e57270556d2c2b02eb733d4a225728bfeec945273605ec827e1287

http://www.utrace.de/?query=108.162.197.162
Provider: CloudFlare
Region: San Francisco (United States)


https://www.virustotal.com/en/file/2521d7f81375790ff9296bb8c487860a9428b2a47dc185102d7f82eba1857915/analysis/

https://malwr.com/analysis/NzI2YzZlNTA0NmRlNGUxM2I2NDVjMDkyNDM4NmUzZDY/