2015-12-31 - FOLLOW UP TO ISC DIARY ABOUT ACTOR USING RIG EK TO DELIVER QBOT

ASSOCIATED FILES:

 

NOTES:

  • The first HTTP GET request to the compromised site.
  • HTTP GET request for .js from the compromised site with malicious script.
  • Traffic to the gate domain.
  • Rig EK.
  • Part 1: The .js file with malicious script sent by the compromised site.
  • Part 2: Text returned from the gate for the main_color_handle variable.
  • Part 3: Rig EK landing page.
  • Part 4: Flash exploit sent by Rig EK.
  • Part 5: Rig EK malware payload (Qbok or Qakbot).

 

TRAFFIC

For the 8 samples of Rig EK from this actor, the traffic breaks out as follows:

 

TRAFFIC (EXAMPLES 1 THROUGH 8):

 

MALWARE

EXAMPLE 1 FLASH EXPLOIT - MD5 hash: 994215eb988b86516ddd8b5cdfc59e7b

EXAMPLE 1 MALWARE PAYLOAD - MD5 hash: 2fde1700967fb6da5127b27a64769b0f

 

EXAMPLE 2 FLASH EXPLOIT: same as example 1

EXAMPLE 2 MALWARE PAYLOAD - MD5 hash: c4523fbc6c739998d4a9974dbb4a3284

 

EXAMPLE 3 FLASH EXPLOIT - MD5 hash 7826cf5a7fb8128642a487f75e428f71

EXAMPLE 3 MALWARE PAYLOAD - MD5 hash: c788f7d438731bdb6992db51b0f45e5b

 

EXAMPLE 4 FLASH EXPLOIT: same as example 3

EXAMPLE 4 MALWARE PAYLOAD - MD5 hash: 9743ed204f2e9dd28e3dd282265281fa

 

EXAMPLE 5 FLASH EXPLOIT: same as example 3

EXAMPLE 5 MALWARE PAYLOAD - MD5 hash: 5624fbc2f31d21160763db5a04482632

 

EXAMPLE 6 FLASH EXPLOIT: same as example 3

EXAMPLE 6 MALWARE PAYLOAD - MD5 hash: aa00bdfb7c4b174695d27166457a2e1f

 

EXAMPLE 7 FLASH EXPLOIT: same as example 3

EXAMPLE 7 MALWARE PAYLOAD - MD5 hash: fc7e48951130ffc53a7c618d65366797

 

EXAMPLE 8 FLASH EXPLOIT: same as example 3

EXAMPLE 8 MALWARE PAYLOAD - MD5 hash 6905078969a63421fd6fca0d3cb8e3c8

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here for the malware-traffic-analysis.net index page.