2014-05-20 - RIG EK FROM 144.76.118.124 - VOORELKAARINZUID.NL

ASSOCIATED FILES:

BLOG ENTRIES SO FAR ON RIG EK:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECTS:

RIG EK:

POST-INFECTION CALLBACK SEEN ON THE VM:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-05-20-Rig-EK-flash-exploit.swf
File size:  6.1 KB ( 6295 bytes )
MD5 hash:  4848a2c3cd6e874b6ec1413434c98ab4
Detection ratio:  4 / 52
First submission:  2014-05-19 07:17:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41aa51c752276c936ae20efea88bf50791da623bd38f1bad02836dfc80ff13fb/analysis/

SILVERLIGHT EXPLOIT

File name:  2014-05-20-Rig-EK-silverlight-exploit.xap
File size:  20.7 KB ( 21214 bytes )
MD5 hash:  76039da2c7db3d19bf702ac0ee28ed7c
Detection ratio:  15 / 52
First submission:  2014-05-20 08:10:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cd9a705264346ac7bca01e08212091c007dede3a9e7f4a769d2ce15bb0fdee6e/analysis/

MALWARE-PAYLOAD

File name:  2014-05-20-Rig-EK-malware-payload.exe
File size:  128.0 KB ( 131076 bytes )
MD5 hash:  5ec96b67ac6587cc4bbfef31e7d1f248
Detection ratio:  6 / 53
First submission:  2014-05-20 19:13:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9a12d141eef4c1094654e69a1ed069ec1148f73c98d26ce516d0ca24b1fe174a/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion):

Emerging Threats ruleset

Sourcefire VRT ruleset

 

SOME SCREENSHOTS FROM THE TRAFFIC

Embedded iframe in page from compromised website:

 

First redirect:

 

Second redirect pointing to Rig EK landing page:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.