2015-02-06 - RIG EK FROM 46.182.30.163 PUSHING KRONOS

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

RIG EK FROM 2015-02-05:

 

RIG EK FROM 2015-02-06:

 

POST-INFECTION TRAFFIC:

 

NOTE:  The malware wouldn't run on a VM, and I saw nothing from the malwr.com analysis, so I had to use another malware analysis tool.  No pcap on this, but here's a screenshot of the traffic:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

NOTE:  The exploits and malware payload from 2015-02-05 have the same file hashes as the ones from 2015-02-06.

FLASH EXPLOIT:

File name:  2015-02-06-Rig-EK-flash-exploit.swf
File size:  19.8 KB ( 20239 bytes )
MD5 hash:  82a81b6f9ee1ec433678e3daabc8be59
Detection ratio:  4 / 56
First submission:  2015-02-05 14:11:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/79d84426dea00871efd41a1ba19547ef8fad672e12a2f5776f03c1da2f5d8c0d/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-02-06-Rig-EK-silverlight-exploit.xap
File size:  25.6 KB ( 26238 bytes )
MD5 hash:  5fa5959789a97d83f6b7625b86b434b9
Detection ratio:  6 / 56
First submission:  2015-01-14 14:37:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a35bc9d0db540fd8d33b7b1232d4e8714d79f12e8b6c0ecb2732a43e3d443409/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-06-Rig-EK-malware-payload.exe
File size:  288.0 KB ( 294912 bytes )
MD5 hash:  40118fcf2d286c60ee8ecd3f71aa6f52
Detection ratio:  19 / 56
First submission:  2015-02-06 17:16:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/99bd37770622b05a0c3d4179c4f8615fa00f2cc1f7c663e37f92a668d1adbf3a/analysis/
Malwr link:  https://malwr.com/analysis/MjAxZjhlNDQ4YWNlNDM1MzlmYTc0ZjE2MWIxMzc3ZTU/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.