2014-05-10 - RIG EXPLOIT PACK FROM 141.101.116.87 - BUIADNAIUAYF.ML

ASSOCIATED FILES:

UPDATE (2014-05-14)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECT:

RIG EXPLOIT PACK - HTTP GET REQUESTS TO BUIADNAIUAYF.ML:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-10-Rig-EK-flash-exploit.swf
File size:  6.0 KB ( 6195 bytes )
MD5 hash:  809966c79e4944e9d7c69f3161b475ff
Detection ratio:  1 / 51
First submission:  2014-05-09 08:34:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e7eceb0f38446eb74918be3f49bc678d8653cdf4d6f3b5ef5de23f60a53e2811/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-10-Rig-EK-silverlight-exploit.xap
File size:  14.0 KB ( 14292 bytes )
MD5 hash:  a44a1e43652edcf93c0ec6805ff438c7
Detection ratio:  3 / 52
First submission:  2014-05-07 22:52:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9dae48b5ccb3651b79d53f3cf1f0cf206a473221434200566af26b65f9b80dd9/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-10-Rig-EK-malware-payload.exe
File size:  317.5 KB ( 325169 bytes )
MD5 hash:  0a925532cdf1e19d085f17ca6168be3d
Detection ratio:  2 / 52
First submission:  2014-05-10 02:08:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c4a612ec3108e567b90c6b6cf1cddc02fc54558cb0938b2d3649753542414e32/analysis/
Malwr link:  https://malwr.com/analysis/MTRmMjljMzVkNDQ0NDFjYjk0ZmQwNjE5ZmNhODIxODE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in web page from compromised website:

 

Redirect:

 

First request to RIG Exploit Pack landing page - buiadnaiuayf.ml
GET /proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|MGUxY2YzY2IwNWU5ZDUyMGExOGM0M2U2NGQ0YzJiOTg


I've highlighted the part I've seen used with the CVE-2013-2551 MSIE exploit.

 

HTTP GET request for the Flash exploit:

 

HTTP GET request for the malware payload, right after the Flash exploit:

 

HTTP GET request for the Silverlight exploit after the malware was sent:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.