2015-09-21 - RIG EK FROM 46.30.43.111 - REH.HEALTZKART.ORG

PCAP AND MALWARE:

 

NOTES:

 


Shown above: Squil after using tcpreplay on the pcap in Security Onion (set up with Suricata and the EmergingThreats open signature set).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-09-21-Rig-EK-flash-exploit.swf
File size:  38.6 KB ( 39573 bytes )
MD5 hash:  09766d028aae04612baacc1d7a28c9e8
SHA1 hash:  64881fb9c97f2985842edd71942bb8e940ec3634
SHA256 hash:  0e4c19b05b23280b2a32beda36dd9da3e61d694ce9bb00f2153e46d68f894c95
Detection ratio:  3 / 56
First submission:  2015-09-17 08:57:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0e4c19b05b23280b2a32beda36dd9da3e61d694ce9bb00f2153e46d68f894c95/analysis/

 

MALWARE PAYLOAD:

File name:  2015-09-21-Rig-EK-malware-payload.exe
File size:  204.0 KB ( 208896 bytes )
MD5 hash:  f28a510561f67b92a1c56578460bef29
SHA1 hash:  199ad92b81a73fd411e48ba003e20d8c35abbec7
SHA256 hash:  4a4db359d30358aced84aca1a7346be589c01f8e929aed6ca44427e4a5064fc5
Detection ratio:  2 / 56
First submission:  2015-09-21 18:19:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4a4db359d30358aced84aca1a7346be589c01f8e929aed6ca44427e4a5064fc5/analysis/
Malwr link:  https://malwr.com/analysis/NjQxZGYyNzkyNmUzNDRjYWI4MTMzOWZiYWI3OGY0MTg/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/4a4db359d30358aced84aca1a7346be589c01f8e929aed6ca44427e4a5064fc5?environmentId=4

 

 

SCREENSHOTS

A page from the compromised website had five items of injected script to the same redirect domain:

 

Below shows an iframe returned after one of the HTTP GET requests to the redirect domain:

 

There was a lot of SMTP traffic (TCP port 25) from my infected host (not included with the pcap in this blog entry).  Using the menus on Wireshark, I went to Statistics --> Converstations to bring up the conversations window.  Going to the TCP tab, I sorted on the ports and checked if any substantial amount of packets was sent from my machine via port 25 (SMTP).  There was about 275 KB to a Microsoft IP address:

 

Following the TCP stream, I saw SMTP traffic to a Hotmail server.

 

My infected host was sending dating/porn-themed spam to various mail servers.  I shut it down pretty quickly after I realized what was happening.

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.