2016-08-26 - RIG EK FROM 109.234.36.198 SENDS GRAYBIRD BACKDOOR TROJAN

ASSOCIATED FILES:

  • 2016-08-26-Rig-EK-sends-Graybird-first-run.pcap   (626,054 bytes)
  • 2016-08-26-Rig-EK-sends-Graybird-second-run.pcap   (774,743 bytes)
  • 2016-08-26-Rig-EK-sends-Graybird-third-run.pcap   (595,937 bytes)
  • 2016-08-26-Rig-EK-flash-exploit.swf   (46,058 bytes)
  • 2016-08-26-Rig-EK-landing-page-first-run.txt   (5,239 bytes)
  • 2016-08-26-Rig-EK-landing-page-second-run.txt   (5,242 bytes)
  • 2016-08-26-Rig-EK-landing-page-third-run.txt   (5,237 bytes)
  • 2016-08-26-Rig-EK-payload-Graybird.exe   (221,184 bytes)
  • 2015-10-02-analysis-of-word-doc-from-hybrid-analysis.com.pcap   (977,900 bytes)
  • 2015-10-02-dropped-graybird-malware.exe   (273,920 bytes)
  • Suspected recipient and Amount 01102015.doc   [Word document, probably from malspam]  (68,096 bytes)

 

NOTES ON THIS CAMPAIGN:

 

NOTES ON THE MALWARE PAYLOAD:

 


Shown above:  My tipper for this traffic at http://www.malwaredomainlist.com/mdl.php.

 


Shown above:  Alerts on this traffic in Security Onion using Suricata and the ET Pro ruleset.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 


Shown above:  Traffic from the third pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD:

 

IMAGES


Shown above:  Registry entry for persistence of the Graybird backdoor Trojan (first infection).

 


Shown above:  Registry entry for persistence of the Graybird backdoor Trojan (second infection).

 


Shown above:  Registry entry for persistence of the Graybird backdoor Trojan (third infection).

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.