2014-05-16 - RIG EK FROM 141.101.116.236 - RESTARTBEE.ML

ASSOCIATED FILES:

NOTES:

BLOG ENTRIES SO FAR ON RIG EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

INFECTION CHAINS:

 

TRAFFIC FROM PCAP OF MALWR.COM ANALYSIS OF MALWARE PAYLOAD:

NOTE: Malwr.com analysis of the follow-up Malware shows this additional traffic:

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOITS

File name:  2014-05-16-Rig-EK-flash-exploit-swf.swf
File size:  6.1 KB ( 6258 bytes )
MD5 hash:  e921a9d383e34813fb7486e88b9c60e5
Detection ratio:  0 / 52
First submission:  2014-05-15 17:11:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e402065b110859a9ac11006248a464ddc83fdfa59d620b68fa5240f7b586bf9/analysis/

File name:  2014-05-16-Rig-EK-flash-exploit-swfIE.swf
File size:  5.9 KB ( 6024 bytes )
MD5 hash:  7daa9b066dc254a749f815e1c6125632
Detection ratio:  0 / 53
First submission:  2014-05-16 06:53:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/daf208ecc2ec5be5909a85784f617d97cc2c994723345028bd17ce8dc1592a24/analysis/

 

JAVA EXPLOIT

File name:  2014-05-16-Rig-EK-java-exploit.jar
File size:  17.3 KB ( 17765 bytes )
MD5 hash:  647fd872d5c871fecce69d1308ecb74f
Detection ratio:  5 / 53
First submission:  2014-05-16 06:53:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d13c0c21dd3d4fde57a4f23d8137649d7d2af4213500ae0848e1b7bd68dffc8f/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-05-16-Rig-EK-silverlight-exploit.xap
File size:  6.1 KB ( 6238 bytes )
MD5 hash:  fb73a0c9467f2bdb8b4281bf33107762
Detection ratio:  2 / 53
First submission:  2014-05-16 06:53:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ed28b4064b79ec75bd4fe484f6ca3716beace127176ef28f61049d3652ff8352/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-16-Rig-EK-malware-payload.exe
File size:  108.0 KB ( 110596 bytes )
MD5 hash:  70a4573c2b2a5bc2ea620b756f7d3bd6
Detection ratio:  5 / 52
First submission:  2014-05-16 02:37:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2a41df1c3f563b23f28be7808eee9c24aca4cdfad781baf47a8e1c3a4cb02388/
Malwr link:  https://malwr.com/analysis/ODllYmQ4Yzk4OWU1NDAxNjlhZWNhMDM3NmE0ZmE1MmE/

 

FOLLOW-UP MALWARE FROM SANDBOX ANALYSIS

File name:  2014-05-16-Rig-EK-followup-malware.exe
File size:  180.0 KB ( 184320 bytes )
MD5 hash:  c0e3fcd67af91e3ee4cd0e316103a871
Detection ratio:  18 / 53
First submission:  2014-05-15 17:24:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/21e03836085be3750e95ea77b494ea5b58c0de35710e440d3e5383cf4aa5667e/analysis/
Malwr link:  https://malwr.com/analysis/ZTY1NGY1NzAzMjI4NDEzN2IxZjE3ZWQ3OGI1ZGJiY2U/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion):

Emerging Threats Snort Ruleset

Sourcefire VRT Ruleset

 

SNORT EVENTS AFTER TCPREPLAY ON THE MALWARE ANALYSIS PCAP:

Emerging Threats Snort Ruleset

Sourcefire VRT Ruleset

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

First redirect:

 

Second redirect:

 

Rig EK delivers Flash exploit (swf):

 

Rig EK delivers Flash exploit (swfIE):

 

Rig EK delivers Java exploit:

 

Rig EK delivers Silverlight exploit:

 

One of the examples where Rig EK delivers the malware payload:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.