2014-07-21 - RIG EK FROM 37.200.65.4 - WELCOME.STOVEPIPEDINNERS.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-21-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4177 bytes )
MD5 hash:  dc1e3480cc8eaf12af4fb3bee13d8e7c
Detection ratio:  0 / 53
First submission:  2014-07-20 04:21:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/63fbb1bab4b77dd3c35263c6b897b280a073938ac5eec1f6bbb99f56f359901e/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-21-Rig-EK-silverlight-exploit.xap
File size:  12.6 KB ( 12872 bytes )
MD5 hash:  812e31c141fbcc780b886e1b18431490
Detection ratio:  3 / 52
First submission:  2014-07-21 02:55:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c01afaf2487259b72e9017ea766ac1f15d40fd3e31a2ac4165cbe599a9752d4b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-21-Rig-EK-malware-payload.exe
File size:  152.0 KB ( 155648 bytes )
MD5 hash:  02550a2540d64faeb43115497f7a6ac6
Detection ratio:  1 / 53
First submission:  2014-07-21 02:52:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/141631882d9b5771c7975f26553db94ba5527f3e6194ee4a153fc8691b44f6cf/analysis/

 

FOLLOW-UP MALWARE (RERDOM):

File name:  UpdateFlashPlayer_e6803363.exe
File size:  152.0 KB ( 155648 bytes )
MD5 hash:  e42b2b7e505e31ebcba53dff6dc72cdf
Detection ratio:  3 / 52
First submission:  2014-07-20 21:45:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e05a40fbe6230bf51ca9e6dbd10165b9ae0507c3c7b3fb382fb51f80f39dd22/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO and ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

HIGHLIGHTS FROM THE TRAFFIC

Rig EK delivers Flash exploit:

 

Rig EK delivers Silverlight exploit:

 

Rig EK delivers malware payload:

 

Post-infection callback for Rerdom malware, saved to the user's AppData\Local\Temp directory as UpdateFlashPlayer_e6803363.exe:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.