2014-09-09 - RIG EK FROM 178.132.204.97 - SDFI.APARTMENTPERCH.COM

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND CUSHION REDIRECT:

 

RIG EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-09-Rig-EK-flash-exploit.swf
File size:  4.2 KB ( 4276 bytes )
MD5 hash:  cd369e91ff61a2c1c493a686dd17f777
Detection ratio:  1 / 55
First submission:  2014-09-07 05:06:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5fa303a20aa2c368c2134599f518dc0d57276e386069d086aa97d3b2a210ab83/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-09-Rig-EK-silverlight-exploit.xap
File size:  19.9 KB ( 20370 bytes )
MD5 hash:  e7c9442472ae16bc950408146ad2db7c
Detection ratio:  2 / 55
First submission: 
VirusTotal link:  https://www.virustotal.com/en/file/1f87dac217f5570b24c4d8b3ec7b5cc31b09449b133660864d9517595149a0f3/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-09-Rig-EK-malware-payload.exe
File size:  102.3 KB ( 104758 bytes )
MD5 hash:  250819688dc109a79a4de24eeabbb3de
Detection ratio:  2 / 55
First submission:  2014-09-09 23:32:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including the preprocessor alerts):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.