2015-08-17 - RIG EK FROM 94.142.139.186 - LIFE.MIRAGE-INC.COM

PCAP AND MALWARE:

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

POST-INFECTION HTTP TRAFFIC:

 

OTHER POST-INFECTION TRAFFIC:

  • 2015-08-17 18:04:49 UTC - 103.232.222.57 port 6355
  • 2015-08-17 18:04:59 UTC - 103.21.88.25 port 6355
  • 2015-08-17 18:04:59 UTC - 103.248.21.83 port 6355
  • 2015-08-17 18:04:59 UTC - 185.59.100.8 port 6355
  • 2015-08-17 18:04:59 UTC - 93.189.40.187 port 6355
  • 2015-08-17 18:04:59 UTC - 178.62.233.35 port 6355
  • 2015-08-17 18:04:59 UTC - 212.76.140.209 port 6355
  • 2015-08-17 18:04:59 UTC - 217.12.220.224 port 6355
  • 2015-08-17 18:05:29 UTC - 109.228.235.233 port 7212

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2015-08-17-Rig-EK-Flash-exploit.swf
File size:  38.7 KB ( 39,618 bytes )
MD5 hash:  1f620b3df8b4a31bfaf491f60dcb6b05
SHA1 hash:  5bb3752df7af9a02e76549f25a73472e90aac560
SHA256 hash:  53f41b21bf486975707840c24100322f1e7613b5bc4c9ebaf9a846ef2b525b95
Detection ratio:  2 / 56
First submission:  2015-08-16 21:21:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/53f41b21bf486975707840c24100322f1e7613b5bc4c9ebaf9a846ef2b525b95/analysis/

 

MALWARE PAYLOAD

File name:  2015-08-17-Rig-EK-malware-payload.exe
File size:  168.0 KB ( 172,032 bytes )
MD5 hash:  dd17bf5ab2dab1f4a6e8d5a2c37bc830
SHA1 hash:  01761a5432b168a1e29f31de71cd9dcae2d68785
SHA256 hash:  fb3fdd2c953721e47a6e122a459b43de05405da2d3e42f54f02d720ef948bce6
Detection ratio:  14 / 56
First submission:  2015-08-17 21:01:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fb3fdd2c953721e47a6e122a459b43de05405da2d3e42f54f02d720ef948bce6/analysis/
Malwr link:  https://malwr.com/analysis/YjhiYWNiYzJjMWZiNDUxZjhmZDZlZGYxMDM1OWIyM2Q/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/fb3fdd2c953721e47a6e122a459b43de05405da2d3e42f54f02d720ef948bce6?environmentId=1

 

 

DROPPED MALWARE ON INFECTED HOST

File name:  C:\Users\username\qerdycjj.exe
File size:  42.2 MB ( 44,285,952 bytes )
MD5 hash:  9c77fd2e09967c3ae13cdb4dae313ab6
SHA1 hash:  2eeab6b8e572d3a28c72fe8b9bb5d0e3f616a394
SHA256 hash:  3886487fe84636157fe0a8e20dc9b25a5518590093b2536e56fa9e5fd3fe4f25
Detection ratio:  15 / 56
First submission:  2015-08-17 21:04:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3886487fe84636157fe0a8e20dc9b25a5518590093b2536e56fa9e5fd3fe4f25/analysis/

 

SNORT EVENTS

Suricata using the Emerging Threats open and ETpro rulesets on Security Onion (not including ET INFO or ET POLICY rules):

 

Snort 2.9.7.3 using Talos Snort Registered Rules on Debian 7:

 

IMAGES FROM THE TRAFFIC

Gate URL returns iframe pointing to the Rig EK landing page:

 

HTTP traffic from the pcap:

 

Wireshark filtered to show some of the post-infection DNS queries and TCP traffic, showing some of the mail server connection attempts:

 

Wireshark filtered to show some of the post-infection IP addresses and ports (not the HTTP or mail server traffic).

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.