2014-10-05 - RIG EK FROM 37.200.69.87 - CONTACT.COLLEGEMOTORSLTD.COM

ASSOCIATED FILES:

 

NOTES:

 

MY BLOG ENTRIES ON THE WINDIGO GROUP SERVING RIG EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-05-Rig-EK-flashe-exploit.swf
File size:  4.1 KB ( 4238 bytes )
MD5 hash:  1ca3694873a7975dc4a286e11799a004
Detection ratio:  8 / 55
First submission:  2014-10-02 07:51:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-10-05-Rig-EK-silverlight-exploit.xap
File size:  36.5 KB ( 37375 bytes )
MD5 hash:  ab716b15872a59d913a7e98d57629705
Detection ratio:  2 / 55
First submission:  2014-10-05 00:46:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/46c2ff09e2be2d7af005679e364a92ca6d437aa40a24ccefd688a05dd79c4898/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-05-Rig-EK-malware-payload.exe
File size:  109.6 KB ( 112270 bytes )
MD5 hash:  8bb314e3b027f08891db469edb61e584
Detection ratio:  3 / 55
First submission:  2014-10-05 00:42:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54850b1dff3148f999959d59c34e2d1be488a3d60be493261249e09ef22fde89/analysis/
Malwr link:  https://malwr.com/analysis/MjM1NWJiZWY3OGM4NDdiNDk5YjU1YTM4ZWM2YTQ0ZDk/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website redirects when reached through a Google search:

 

Cushion redirect:

 

Redirect points to Rig EK:

 

Rig EK sends Silverlight exploit:

 

Rig EK sends malware payload:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.