2016-08-26 - RIG EK FROM 178.32.92.0/24

ASSOCIATED FILES:

  • 2016-08-29-Rig-EK-first-run.pcap   (217,070 bytes)
  • 2016-08-29-Rig-EK-second-run.pcap   (267,577 bytes)
  • 2016-08-29-Rig-EK-flash-exploit.swf   (46,081 bytes)
  • 2016-08-29-Rig-EK-landing-page-first-run.txt   (3,659 bytes)
  • 2016-08-29-Rig-EK-landing-page-second-run.txt   (3,664 bytes)
  • 2016-08-29-Rig-EK-payload.exe   (188,928 bytes)

 


Shown above:  My tipper for this traffic at http://www.malwaredomainlist.com/mdl.php.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD:

 

IMAGES


Shown above:  The malware payload sent by this campaign's Rig EK.

 


Shown above:  The only post-infection traffic I saw from the malware.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.