A spicy investiation into a unusaul network connection from a ‘flash’ (.swf) file to a site called not[.]shaaa[.]dy[.]fi

Decompile

JPEXS Flash Decompiler seems to be good, worked here! https://github.com/jindrapetrik/jpexs-decompiler

The Story

As a flash fan from way back in the day, I’ve got a bunch of my fav’s stored locally I’ll often crack open for nostalgia.

With that in mind, the security issues associated with flash are well documented (RIP).

This was a fun situation I found myself in where a flash I had downloaded did show some sus behaviour and while it ended up being fine, it was still a cool chance to learn a little bit about analysing flash files.

Fun Case

What the hell is this message! Popped up after launching a flash file locally (On a VM luckily as a safe flash enjoyer!).

Bruh

not[.]shaaa[.]dy[.]fi

Okay, so dy.fi is a Dynamic DNS service for Finnish people!

Description from webpage below

dy.fi is a free dynamic DNS service offered exclusively for Finnish users. It provides you a short domain name like 'yourname.dy.fi', which can be pointed to the dynamic IP address of your home system (for running an FTP or web server at home, or SSH/VNC remote use), or forwarded to your home page which has a long and hard-to-remember URL.

The ‘News’ on the site for dy.fi starts back in 2006 and last updated in 2018, wild.

Some basic site scans on the not[.]shaaa[.]dy[.]fi URL seem to indicate the web server is now offline and traffic is hitting a HTTP 307 (Redirect) and landing on the homepage of dy.fi.

Sandbox time!

Running with Procmon doesn’t show anything interesting really, a few curious registry items being read (GPU/Screen stuff), but possibly explainable simply by the nature of ‘Flash’ animations.

Looking up decompilers for flash, JPEXS came up, it seems to work really well!

Scripts looked interesting and indeed under <default package> was a file named ET and bang in there was the URL seen earlier along with one another (Seemingly a backup and just one step up the domain)

shaaa[.]dy[.]fi

After some scrolling and reading, the urlvars section proves really interesting! So it seems a number of metrics (show below as capabilities.METRIC) are being collected and then POSTed to the Web Server

Found a online translation of the Capabilities and what each means in some documentation here https://www.cs.vu.nl/~eliens/assets/flex3/langref/flash/system/Capabilities.html

So after all that it seems to be data collection!

After these findings, eventually did some searching and found this swfchan thread detailing some of the drama hahahaha - so it does appear this is known adn the person has done this to a number of flashes https://swfchan.net/31/BTR8OLB.shtml (A few different threads about this same topic/person though)

This thread is even better, apparently its someone under the name of AMM https://swfchan.net/32/ACOR3IF.shtml Of course the typical 4chan 2015 over the top profanity

To be continued!

There is a really interesting ‘ID’ in the decompiled flash file as well, I wonder if this is unique to each flash compiled by this person. Might go digging/make a little script to see if any of my other flash files have this same thing! Could also grab another of the ‘reported’ flashes on swfchan and see if the ID is unique on that