2015-11-16 - MALICIOUS SCRIPT WITH BACKWARD URL LEADS TO RIG EK

ASSOCIATED FILES:

 

NOTES:

 


Shown above:  Can't get to the compromised website from a Google search.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

TRAFFIC FROM THE FIRST RUN:

 

TRAFFIC FROM THE SECOND RUN:

 

PRELIMINARY MALWARE ANALYSIS

RIG EK FLASH EXPLOIT:

File name:  2015-11-16-Rig-EK-flash-exploit.swf
File size:  13.3 KB ( 13,650 bytes )
MD5 hash:  bf43345f0b9fac7ea00d0b0a26655323
SHA1 hash:  63ad8c9823bcb005dbe851496b88c7bf221342ae
SHA256 hash:  3bba44af66ae77f18eb6108eb76b8fc3f898470d59886d9dbdecf8a74d207274
Detection ratio:  5 / 54
First submission:  2015-11-16 18:24:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3bba44af66ae77f18eb6108eb76b8fc3f898470d59886d9dbdecf8a74d207274/analysis/

 

RIG EK MALWARE PAYLOAD:

File name:  2015-11-16-Rig-EK-malware-payload.exe
File size:  192.0 KB ( 196,608 bytes )
MD5 hash:  28b07c5d425386a55945eb354cc41354
SHA1 hash:  1a4e5cfc5c1893aeb0c666afb3ad56849fde9a5d
SHA256 hash:  21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb
Detection ratio:  5 / 54
First submission:  2015-11-16 17:56:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb/analysis/
Malwr.com link:  https://malwr.com/analysis/MGNhY2JkMDNiYzM1NDM3ZTlhYzFkYzgxMTJjZmRjMWE/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb?environmentId=1

 

REGISTRY KEY UPDATES FROM THE MALWARE FOR PERSISTENCE AFTER THE FIRST RUN:

 

REGISTRY KEY UPDATES FROM THE SAME MALWARE FOR PERSISTENCE AFTER THE SECOND RUN:

 

IMAGES


Shown above:  Traffic filtered in Wireshark from the first run.

 


Shown above:  Traffic filtered in Wireshark from the second run.

 


Shown above:  Injected script in page from compromised website.

 


Shown above:  Script returned from Pastebin URL pointing to next redirect.

 


Shown above:  Script returned from lachinampa.com.mx pointing to the Rig EK landing page.

 


Shown above:  Registry key update by the malware from the first run.

 


Shown above:  Registry key update by the same malware from the second run.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.