2014-07-30 - RIG EK FROM 194.58.101.116 - FINISH.RESINBONDING.COM

ASSOCIATED FILES:

 

NOTES:

 

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-07-30-Rig-EK-flash-exploit.swf
File size:  4.4 KB ( 4459 bytes )
MD5 hash:  9ae59cc660c22ed9c61b70fd61544b0f
Detection ratio:  0 / 54
First submission:  2014-07-30 01:00:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/68b53f82bc7f65dc672699dd72ecd8583b15cf0135ca64922350410238b42f4a/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-07-30-Rig-EK-silverlight-exploit.xap
File size:  47.2 KB ( 48324 bytes )
MD5 hash:  634437ccafcba0e951d1d1c034f8d736
Detection ratio:  3 / 53
First submission:  2014-07-28 17:46:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/632c769483c1d63e59cb1f9f83375c2fc7aa6fb47d5e13a0898084453090597d/analysis/

 

MALWARE PAYLOAD:

File name:  2014-07-30-Rig-EK-malware-payload.exe
File size:  308.0 KB ( 315392 bytes )
MD5 hash:  e821d7334d2ecc6bdbe899fa67830dad
Detection ratio:  2 / 53
First submission:  2014-07-30 01:00:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/995c0a36805fe6a95aee37748e24230edad1350321dc6cd7acf0c2de0326010f/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

SCREEN SHOTS FROM THE TRAFFIC

Malicious iframe in page from compromised server:

 

Redirect chain pointing to Rig exploit kit:

 

After the Rig EK infection, here's an example of the traffic that triggered snort events for ETPRO TROJAN Carberp/Rovnix Proxy Connection:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.