2017-01-26 - AFRAIDGATE RIG-V FROM 92.53.97.168 SENDS GODZILLA LOADER/LOCKY/SOMETHING ELSE

ASSOCIATED FILES:

  • 2017-01-26-Afraidgate-Rig-V-sends-Locky-ransomware.pcap   (737,129 bytes)
  • 2017-01-26-Afraidgate-Rig-V-1st-follow-up-download-unknown-malware.exe   (167,424 bytes)
  • 2017-01-26-Afraidgate-Rig-V-2nd-follow-up-download-Locky-ransomware.exe   (216,576 bytes)
  • 2017-01-26-Afraidgate-Rig-V-flash-exploit.swf   (19,230 bytes)
  • 2017-01-26-Afraidgate-Rig-V-landing-page.txt   (5,217 bytes)
  • 2017-01-26-Afraidgate-Rig-V-payload-Godzilla-Loader.exe   (119,296 bytes)
  • 2017-01-26-Locky-DesktopOSIRIS.bmp   (3,578,902 bytes)
  • 2017-01-26-Locky-DesktopOSIRIS.htm   (8,671 bytes)
  • 2017-01-26-misterin.pkitup.com-watch.js.txt   (522 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE AFRAIDGATE CAMPAIGN:

OTHER NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Afraidgate redirect URL leading to a Rig-V landing page.

 


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RIG-V FLASH EXPLOIT:

 

RIG-V PAYLOAD (GODZILLA LOADER, SENT TWICE):

 

FIRST FOLLOW-UP MALWARE:

 

SECOND FOLLOW-UP MALWARE:

 

IMAGES


Shown above:  Desktop of the infected Windows host after rebooting.

 


Shown above:  Found another callback URL from the 1st follow-up malware by using Joe Sandbox Cloud.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.