2016-06-29 - EK DATA DUMP (MORE NEUTRINO EK, RIG EK)

NOTES:

ASSOCIATED FILES:

  • 2016-06-23-realstatistics-gate-Neutrino-EK-sends-Gootkit-after-nebularoficial.com.pcap   (5,322,408 bytes)
  • 2016-06-29-Rig-EK-after-gate-on-45.32.187.36.pcap   (224,181 bytes)
  • 2016-06-29-Rig-EK-after-glamgirltube.tk.pcap   (248,972 bytes)
  • 2016-06-29-afraidgate-Neutrino-EK-sends-Locky-after-marketingguerrilla.es.pcap   (389,579 bytes)
  • 2016-06-29-Rig-EK-flash-exploit-after-gate-on-45.32.187.36.swf   (24,661 bytes)
  • 2016-06-29-Rig-EK-flash-exploit-after-glamgirltube.tk.swf   (24,661 bytes)
  • 2016-06-29-Rig-EK-landing-page-after-gate-on-45.32.187.36.txt   (5,384 bytes)
  • 2016-06-29-Rig-EK-landing-page-after-glamgirltube.tk.txt   (5,348 bytes)
  • 2016-06-29-Rig-EK-payload-after-gate-on-45.32.187.36.exe   (197,120 bytes)
  • 2016-06-29-Rig-EK-payload-after-glamgirltube.tk.exe   (106,496 bytes)
  • 2016-06-29-afraidgate-Neutrino-EK-flash-exploit-after-marketingguerrilla.es.swf   (84,521 bytes)
  • 2016-06-29-afraidgate-Neutrino-EK-landing-page-after-marketingguerrilla.es.txt   (1,095 bytes)
  • 2016-06-29-afraidgate-Neutrino-EK-payload-Locky-after-marketingguerrilla.es.exe   (240,130 bytes)
  • 2016-06-29-afraidgate-redirect-from-live.keeprunning.com.br.txt   (260 bytes)
  • 2016-06-29-page-from-marketingguerrilla.es-with-injected-script-to-afraidgate-redirect.txt   (70,443 bytes)
  • 2016-06-29-page-from-nebularoficial-with-injected-script-pointing-to-realstatistics-gate.txt   (10,475 bytes)
  • 2016-06-29-realstatistics-gate-Neutrino-EK-flash-exploit-after-nebularoficial.com.swf   (88,776 bytes)
  • 2016-06-29-realstatistics-gate-Neutrino-EK-landing-page-after-nebularoficial.com.txt   (1,083 bytes)
  • 2016-06-29-realstatistics-gate-Neutrino-EK-payload-Gootkit-after-nebularoficial.com.exe   (197,120 bytes)

 

TRAFFIC

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

 

MALWARE PAYLOADS:

 

IMAGES


Shown above:  Traffic from the first pcap filtered in Wireshark (Rig EK sends possible Gootkit, no post-infection traffic in the pcap).

 


Shown above:  Traffic from the second pcap filtered in Wireshark (Rig EK sends possible Gootkit, no post-infection traffic in the pcap).

 


Shown above:  Traffic from the third pcap filtered in Wireshark (Afraidgate Neutrino EK sends Locky).

 


Shown above:  Traffic from the fourth pcap filtered in Wireshark (realstatistics gate Neutrino EK sends Gootkit).

 


Shown above:  Post-infection traffic from the fourth pcap, decoding the port 80 Gootkit traffic as SSL.

 


Shown above:  Windows desktop after today's Locky infection.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.