2014-09-06 - RIG EK FROM 178.132.203.113 - KWI.AMULET-AM.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

RIG EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-06-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4226 bytes )
MD5 hash:  e5124445264205760f5b2fdc1a715d3c
Detection ratio:  3 / 55
First submission:  2014-09-07 00:17:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f8f33af343dd8d011b2bb004a9d0fd668b9c3cf7852db0b3cdd57968ee042b2a/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-06-Rig-EK-java-exploit.jar
File size:  11.4 KB ( 11634 bytes )
MD5 hash:  0265e3cac6dc88ae91b3946a13776b4a
Detection ratio:  6 / 55
First submission:  2014-09-07 00:17:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5eefa1e27cb2d2b66f8cdf2fd1565700e1854bb1241da2fd945706ab2ffd73c8/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious, hex-encoded script in page from compromised website pointing to the first redirect:

 

HTTP response from the first redirect domain pointing to the second redirect:

 

HTTP response from the second redirect domain pointing to a Rig EK landing page:

 

Rig EK sends the Flash exploit:

 

Rig EK sends the Java exploit:

 

Java exploit tries to download the malware payload; however, it only returns a 200 OK and zero bytes of payload.

 

The payload file is created in the user's AppData\Local\Temp directory, but it's zero bytes--the amount of payload returned.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.