2014-10-04 - RIG EK AND UPATRE FROM PHISHING EMAILS

ASSOCIATED FILES:

 

NOTES:


Shown above:  The zip file offered as a download, while Rig EK happens in the background.

 

WAVES OF PHISHING EMAILS I'VE DOCUMENTED BY (WHAT I THINK IS) THE SAME ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

PHISHING LINK FROM THE EMAIL (PROVIDES A ZIP FILE OF THE MALWARE):

 

RIG EK (INFECTS A VULNERABLE HOST WITH THE SAME MALWARE):

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-04-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4238 bytes )
MD5 hash:  1ca3694873a7975dc4a286e11799a004
Detection ratio:  2 / 54
First submission:  2014-10-02 07:51:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/

 

JAVA EXPLOIT:

File name:  2014-10-04-Rig-EK-java-exploit.jar
File size:  9.2 KB ( 9380 bytes )
MD5 hash:  3fd18b6e0fb0f88d897fadbeae36c860
Detection ratio:  5 / 55
First submission:  2014-10-04 02:19:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4840f1d8a86e25528b4b6931d5cfa198b9afef5bd84c7544a81b6a706f405960/analysis/

 

MALWARE PAYLOAD (SAME AS EXTRACTED MALWARE FROM ZIP FILE):

File name:  document8621-79101_pdf.exe
File size:  44.5 KB ( 45568 bytes )
MD5 hash:  322cc3be1d5b0c41d707867146304d85
Detection ratio:  23 / 53
First submission:  2014-10-02 14:42:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ac7b3e1c679134d3b63793dc6df49f8467f387b78e17947a22b516636b89aed/analysis/
Malwr link:  https://malwr.com/analysis/YzFiYzhmZmEwOGRiNDcwMDg4NDRmODQ5YmFjNGQxZGI/

 

ZIPE FILE FROM THE WEB PAGE:

File name:  document8621-79101_pdf.zip
File size:  13.1 KB ( 13446 bytes )
MD5 hash:  c516abc8eb1acd38c57f3175032cb17c
Detection ratio:  26 / 55
First submission:  2014-10-02 14:40:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/39d8f256dcb91eab3c92dae72ab54fbb38157847336646ce23f26924f59a4b33/analysis/

 

FOLLOW-UP MALWARE:

File name:  junbc.exe
File size:  424.0 KB ( 434176 bytes )
MD5 hash:  27b8d15950022f53ca4ca7004932cf2b
Detection ratio:  21 / 54
First submission:  2014-10-02 18:44:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/286938569b92147be5ec50e06d4d7429eb442a751c0772cb57e146a0a1d0b489/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.