2014-07-14 - RIG EK FROM 46.182.27.166 - ABSTRACKT.THOMASARTA.COM - ALSO FROM 178.132.203.218 -
GRIZZL.THEWELL-BEINGCOMPANY.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

RIG EK - FIRST ATTEMPT WITH FLASH AND SILVERLIGHT EXPLOITS:

 

RIG EK - SECOND ATTEMPT WITH JAVA EXPLOIT:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-07-14-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4153 bytes )
MD5 hash:  b0e9d5ac051d1606652e74e2c66bed22
Detection ratio:  0 / 53
First submission:  2014-07-09 07:46:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d4fce22526e1aec3f04400179b3bb4267c4f8c1818dd621fa250a39a03420024/analysis/

 

JAVA EXPLOIT

File name:  2014-07-14-Rig-EK-java-exploit.jar
File size:  15.8 KB ( 16161 bytes )
MD5 hash:  83798d39dde98babb3b07e243f7aa1c5
Detection ratio:  3 / 54
First submission:  2014-07-15 01:34:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6391eb18d40344a6bd2dce1cfb0f2a5009267d1b16dc27491744e08bc5920bbb/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-07-14-Rig-EK-silverlight-exploit.xap
File size:  12.2 KB ( 12507 bytes )
MD5 hash:  af634212316b3908fee5c3ff1029a678
Detection ratio:  4 / 53
First submission:  2014-07-14 14:44:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8f6581fabe61ec3e8fefab4a9c9a9da6d99db518791ae8e48b80dfa0912fec68/analysis/

 

MALWARE PAYLOAD

File name:  2014-07-14-Rig-EK-malware-payload.exe
File size:  728.0 KB ( 745472 bytes )
MD5 hash:  01f4b1d9b2aafb86d5ccfa00e277fb9d
Detection ratio:  5 / 54
First submission:  2014-07-15 01:35:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/29f932227fc489ffb0cec82a02869a6c96a568b7fb94f35e3eb4393cdd37efe0/analysis/
Malwr link:  https://malwr.com/analysis/OTE5Y2VlNzJiN2MyNGI1NGE3NjA0ODhkMDE0MGM1NDU/

 

SNORT EVENTS FROM FIRST PCAP (FLASH AND SILVERLIGHT EXPLOITS)

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SNORT EVENTS FROM SECOND PCAP (JAVA EXPLOIT)

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.