2016-03-31 - RIG EK FROM 188.227.74.171

PCAP AND MALWARE:

 

NOTES:

 

TRAFFIC


Shown above:  Pcap for this blog entry's traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

MALWARE AND ARTIFACTS

SHA256 hash: a3b67b732f75b137ddfb5392bcb235c21dffb687304c972c8064d6bc5fe7cbac
File name: 2016-03-31-Rig-EK-flash-exploit-after-pavtube.com.swf

SHA256 hash: 13410c3855c9cd4d3e54eb45ab4836ae8086aa03aa2f21257dd0fb9879b19dcb
File name: 2016-03-31-Rig-EK-landing-page-after-pavtube.com.txt

SHA256 hash: 7b19d411ff077a6053d3ad3edb155ab932f03932cafb4905154325168c75c221
File name: 2016-03-31-Rig-EK-payload-after-pavtube.com.exe

SHA256 hash: acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6b
File name: 2016-03-31-Rig-EK-silverlight-exploit-after-pavtube.com.xap (same hash as Kafeine already posted)

SHA256 hash: e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415
File name: binaryreader.dll (extracted DLL from Silverlight .xap archive, same hash as Kafeine already posted)

SHA256 hash: 8b5e3be0c9633269c18b98bbfae9e1401037196dbc9e33ab5499881e11d189bc
File name: 2016-03-31-pavtube.com-jquery.js.txt

SHA256 hash: 225f920a3c8e88dc2d09ed122626997d043c79f3f48ad11b4381e51f525b64a3
File name: 2016-03-31-xc.rottencouchtomatoes.com-cuqviewforummsmz.php.txt

 

IMAGES


Shown above:  Start of injected script in .js file from compromised website.

 


Shown above:  Rig EK sends Silverlight exploit.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.