2014-05-30 - RIG EK FROM 46.182.24.37 - WHATSUUPP.CO.VU

ASSOCIATED FILES:

BLOG ENTRIES SO FAR ON RIG EK:

NOTES:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT CHAIN:

RIG EK:

CRYPTOWALL CALLBACK TRAFFIC:

NOTE:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-05-30-Rig-EK-silverlight-exploit.xap
File size:  21.0 KB ( 21541 bytes )
MD5 hash:  5eec17841a04a21ebf6b3c98ccf33e0c
Detection ratio:  2 / 52
First submission:  2014-05-30 07:06:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b08d25b46005f2b2a4dfa5b38e57b7320203333cb3fc510929cb97f27e6810e5/analysis/

 

FLASH EXPLOIT

File name:  2014-05-30-Rig-EK-flash-exploit.swf
File size:  3.5 KB ( 3534 bytes )
MD5 hash:  b1cdcfd3573644599a313e026c551943
Detection ratio:  2 / 53
First submission:  2014-05-30 07:07:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/75e372c335dfe12b8cef2431f3405f4a0119c0ae1753fbb862cd56081ded0df3/analysis/

 

FLASH EXPLOIT (SWFIE)

File name:  2014-05-30-Rig-EK-flash-exploit-swfIE.swf
File size:  6.0 KB ( 6184 bytes )
MD5 hash:  be3b232529f87757d6a916851af30a5e
Detection ratio:  2 / 52
First submission:  2014-05-30 07:14:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/46c170dc2ff8cfa4152e5d4008b2bc889933b6ccde8f5f634ba03530a0a06d65/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-30-Rig-EK-malware-payload.exe
File size:  213.5 KB ( 218624 bytes )
MD5 hash:  456b3a3ea40023fb9bf81ac701cea8f6
Detection ratio:  4 / 53
First submission:  2014-05-30 07:04:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/24e9008ae6a9cd629d47ed9e8f7062551c7c2fd4cf3d0575d1cedf9f6b6fc9f6/analysis/
Malwr link:  https://malwr.com/analysis/YzNkZDdmMTAzOGEyNDBkZjkyNWU4MGMxYWYwNTM2ZjE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect:

 

Rig EK landing page / CVE-2013-2551 MSIE exploit:

 

EXE payload sent after the landing page / CVE-2013-2551 MSIE exploit:

 

Rig EK sends Flash exploit:

 

Rig EK sends Silverlight exploit:

 

The same EXE payload sent after again after the Silverlight exploit:

 

Rig EK sends "swfEI" Flash exploit when using IE 10:

 

CryptoWall callback traffic:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.