2017-04-13 - WHAT SEEMS LIKE RIG EK SENDS POSSIBLE SMOKELOADER PAYLOAD

ASSOCIATED FILES:

  • 2017-04-13-what-seems-like-Rig-EK-1st-run.pcap   (497,511 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-2nd-run.pcap   (787,133 bytes)
  • 2017-04-13-microfitsecuretest.info-swapmappppsw.js-1st-run.txt   (280 bytes)
  • 2017-04-13-microfitsecuretest.info-swapmappppsw.js-2nd-run.txt   (264 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-artifact-o32.tmp-both-runs.txt   (1,141 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-flash-exploit-both-runs.swf   (18,497 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-landing-page-1st-run.txt   (57,903 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-landing-page-2nd-run.txt   (117,797 bytes)
  • 2017-04-13-what-seems-like-Rig-EK-payload-both-runs.exe   (206,336 bytes)

NOTES:

 

TRAFFIC


Shown above:  Injected script in page from compromised site.

 


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

MALWARE FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.