2014-09-23 - RIG EK FROM 178.132.203.26 - MDIF.BOROUGHVENTUREMENSWEAR.COM

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

CUSHION REDIRECT AND RIG EK:

NOTE: The browser (IE 10) crashed and restarted the exploit chain three times.

 

FINAL REDIRECT TO ADULTFRIENDFINDER.COM:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-23-Rig-EK-flash-exploit.swf
File size:  4.0 KB ( 4111 bytes )
MD5 hash:  a177091ca56a80cecfc5f7a125913b00
Detection ratio:  1 / 53
First submission:  2014-09-10 08:40:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cbb51c733020ad5c110c02e8e625ac4ea24836f448f5b4fe7db114dbcaa6a888/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-23-Rig-EK-silverlight-exploit.xap
File size:  27.5 KB ( 28123 bytes )
MD5 hash:  b6ccac3725de163ff5f33447516ea08d
Detection ratio:  3 / 54
First submission:  2014-09-17 03:16:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1c586859a8d724715deb207c088e9143fd99da2bf2c7d73fc47cf23301917601/analysis/

 

MALWARE PAYLOAD

File name:  2014-09-23-Rig-EK-malware-payload.exe
File size:  89.6 KB ( 91761 bytes )
MD5 hash:  6b6648e52e8a77c4f333ba3962bb623c
Detection ratio:  5 / 54
First submission:  2014-09-23 03:51:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9ea9091c048283e3f8b97f2e1a811012f84b5fd7e4da065cf119f7bb4b536d65/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.