2016-05-17 - RIG EK FROM 46.30.43.35 SENDS TOFSEE

ASSOCIATED FILES:

  • 2016-05-17-Rig-EK-sends-Tofsee.pcap   (298,509 bytes)
  • 2016-05-17-Rig-EK-flash-exploit.swf   (16,488 bytes)
  • 2016-05-17-Rig-EK-landing-page.txt   (4,808 bytes)
  • 2016-05-17-Rig-EK-payload-tofsee.exe   (204,800 bytes)
  • 2016-05-17-dropped-file-from-the-tofsee-payload.exe   (34,238,464 bytes)
  • 2016-05-17-khamsanphukhoa.com.vn-js-jquery-1.7.1.min.js.txt   (94,051 bytes)

 

NOTES:

 


Shown above:  Chain of events for today's infection.

 

TRAFFIC


Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Injected script appended to javascript from compromised web site.

 


Shown above:  Gate used by this actor pointing to Rig EK.

 


Shown above:  Rig EK landing page.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.