Ticket #136 (closed test: worksforme)

Opened 8 months ago

Last modified 7 months ago

Possible Suspicious File - fla1.tmp (Not Confirmed)

Reported by: knwang Assigned to: knwang
Priority: normal Milestone:
Component: Excluded Registry/File/Process Version: none
Severity: none Keywords: file,exclude,install,IE
Cc:

Description

I'm filing this ticket to keep tabs on a particular file that may or may not be malicious. If you know for sure one way or the other, please edit this ticket and provide documentation justifying your stance.

The file: 

C:\WINDOWS\fla1.tmp (added, then deleted)

was written when we visited the following URL (If you choose to go to this URL, we cannot guarantee its safety):

http://66.220.17.200/bins/int/kr3.int?fxp=f7d4daef145840d4cc94723eee060bc9f4fb09dbf5f6780762b987f80279723ef5ada8d1

A quick Google query for fla1.tmp did not produce a lot of results, but did point to a couple of forum posts where fla1.tmp was part of a long list of files some users suspected were part of a compromise. However, fla1.tmp was not specifically confirmed to be malicious.

Attachments

Change History

02/28/08 08:52:59 changed by xkovah

yeah, this is one which has been pestering me for a while. I've seen it many times, but not been able to confirm it because when you go to find the file to look at it, it's not there. This is the file which lead me to the realization that capture is not handling rename events, since I'm pretty sure the file is downloaded and then renamed (or moved to a temp directory which is whitelisted?). I am fairly sure that this is innoculous, and is a temp file related to flash player, since I've seen it on lots of youtube pages, but I never got around to confirming it, which is why I didn't whitelist it. If someone else has time, it would be a good idea to run filemon rather than capture to try and get a handle on this.

Xeno

03/05/08 18:59:38 changed by kindlund

This issue has also been discussed via Capture-HPC, at this URL:

https://projects.honeynet.org/capture-hpc/ticket/690

03/07/08 16:32:30 changed by kindlund

  • status changed from new to closed.
  • resolution set to worksforme.

Updated exclusion list to ignore this activity, re: r1345

Add/Change #136 (Possible Suspicious File - fla1.tmp (Not Confirmed))




Change Properties
Action