2016-04-21 - RIG EK FROM 5.200.35.189 SENDS TOFSEE

ASSOCIATED FILES:

  • 2016-04-21-Rig-EK-flash-exploit.swf   (13,887 bytes)
  • 2016-04-21-Rig-EK-landing-page.txt   (4,736 bytes)
  • 2016-04-21-Rig-EK-malware-pyaload-Tofsee.exe   (208,896 bytes)
  • 2016-04-21-iframe-returned-from-tobiasdesigns.com-pointing-to-Rig-EK.txt   (332 bytes)
  • 2016-04-21-page-from-doc-italia.com-with-injected-script.txt   (5,972 bytes)
  • ppyymxkk.exe   (4,129,1776 bytes) -- Dropped at C:\Users\[username]\ppyymxkk.exe

 


Shown above:  A flow chart depicting this infection's chain of events.

 

NOTES:

 

TRAFFIC


Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  The Rig EK payload (Tofsee).

 


Shown above:  The 41+ MB file dropped by Tofsee (the malware copied itself and
added a lot of padding) with one of the registry entries for persistence.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.