2014-07-25 - RIG EK FROM 194.58.101.49 - WELCOME.SHOPSTHATGIVEA.COM

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-25-Rig-EK-flash-exploit.swf
File size:  4.3 KB ( 4453 bytes )
MD5 hash:  3d7e96bd371bfbac440864dc651a0ddf
Detection ratio:  0 / 53
First submission:  2014-07-25 19:39:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48272657d2347f7dfca47f8c99822264c1ac7df44a37fbd3b555e40bed99d3dd/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-25-Rig-EK-silverlight-exploit.xap
File size:  47.5 KB ( 48688 bytes )
MD5 hash:  1699d8065bb7e9ae66491d6e52cc6981
Detection ratio:  9 / 52
First submission:  2014-07-23 10:46:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d6928f1c8680059cddb757a3d219717f0ed5ca42ae0cd9f8bbfeaf3602cee5c5/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-25-Rig-EK-malware-payload.exe
File size:  219.5 KB ( 224768 bytes )
MD5 hash:  7ef60352e4076902e4817115125ab72f
Detection ratio:  2 / 53
First submission:  2014-07-25 18:45:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/78c076664d94fbb6fecfc16e08e5155ffee947a5a8867f1bc2268be9e2c97faf/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.