2016-02-07 - RIG EK FROM 188.227.16.59

PCAP AND MALWARE:

 

NOTES:

 


Shown above:  David's Python script.

 


Shown above:  David's Python script in action.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

TRAFFIC - FIRST RUN:

  • 2016-02-07 16:05:14 UTC - www.engeniusforum.com - GET /
  • 2016-02-07 16:05:14 UTC - www.engeniusforum.com - GET /assets/javascript/jquery.min.js?assets_version=5
  • 2016-02-07 16:05:15 UTC - sc.gandhiprobably.com - GET /pymuviewforumil.php
  • 2016-02-07 16:05:17 UTC - ds.411foru.net - GET /?wHeLf7iaJBvMDYU=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OI
    FxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfEQuU721XzzbNGJckkzxWKvDNQnehIVwgUtQwXnvzNBKqE
  • 2016-02-07 16:05:18 UTC - ds.411foru.net - GET /index.php?wHeLf7iaJBvMDYU=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
    ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfEQuU721XzzbNGJckkzxWKvDNQnehIVwgUtQwXnvzN
    BKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PN2nZYmmA
  • 2016-02-07 16:05:18 UTC - ds.411foru.net - GET /index.php?wHeLf7iaJBvMDYU=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
    ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfEQuU721XzzbNGJckkzxWKvDNQnehIVwgUtQwXnvzN
    BKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PV0mZxg

 

TRAFFIC - SECOND RUN:

  • 2016-02-07 16:16:14 UTC - www.engeniusforum.com - GET /
  • 2016-02-07 16:16:15 UTC - www.engeniusforum.com - GET /assets/javascript/jquery.min.js?assets_version=5
  • 2016-02-07 16:16:15 UTC - sc.gandhiprobably.com - GET /qjfsviewforummyl.php
  • 2016-02-07 16:16:16 UTC - ds.411foru.net - GET /?x3qJc7ieLhrOD4E=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OI
    FxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZWUQLY7i172yLUcdclzkxbUuGRYyuNJBllCsg8bmPzMBKqE
  • 2016-02-07 16:16:18 UTC - ds.411foru.net - GET /index.php?x3qJc7ieLhrOD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
    ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZWUQLY7i172yLUcdclzkxbUuGRYyuNJBllCsg8bmPzM
    BKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PB8npMmmA
  • 2016-02-07 16:16:19 UTC - ds.411foru.net - GET /index.php?x3qJc7ieLhrOD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
    ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZWUQLY7i172yLUcdclzkxbUuGRYyuNJBllCsg8bmPzM
    BKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PV9lZUs3lM&dop=2

 

PRELIMINARY MALWARE ANALYSIS

RIG EK FLASH EXPLOIT:

File name:  2016-02-07-Rig-EK-flash-exploit.swf
File size:  14.2 KB (14,495 bytes)
MD5 hash:  90f9d6152503753e797f5e136fdbb29a
SHA1 hash:  e4cf4ae7cc3ed19cc52bf1cc2304601a735fa0df
SHA256 hash:  f871786c1cc03acce099dcc06475ead477846e7fc70a1f5c3bb4e0a6786993fe
Detection ratio:  5 / 54
First submission:  2016-02-04 15:12:07 UTC
VirusTotal link:  click here

 

MALWRE PAYLOAD:

File name:  2016-02-07-Rig-EK-malware-payload.exe
File size:  468.0 KB (479,232 bytes)
MD5 hash:  b49df900e6e30636b632efd158697809
SHA1 hash:  65238b497170b921305fbdfb74101fbb6af6adc8
SHA256 hash:  fb42468405a0c490efa803ac1bdf8ea024e33d29aeda00eddeba0bf85d278b43
Detection ratio:  15 / 54
First submission:  2016-02-07 17:00:53 UTC
VirusTotal link:  click here
Malwr link:  click here
Hybrid-Analysis link:  click here

 

IMAGES


Shown above:  Injected script appended to one of the .js files from the compromised website.

 


Shown above:  main_color_handle variable returned from the gate used by this actor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.