2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap.zip   1.1 MB (1,074,308 bytes)

• 2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap   (1,145,861 bytes)

• Z2017-04-25-Good-Man-campaign-Rig-EK-and-Latentbot-malware-and-artifacts.zip   319.6 kB (319,550 bytes)

• 2017-04-25-Goodma-campaign-Rig-EK-payload-Latentbot.exe   (312,832 bytes)
• 2017-04-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-25-Rig-EK-flash-exploit.swf   (16,428 bytes)
• 2017-04-25-Rig-EK-landing-page.txt   (117,853 bytes)
• 2017-04-25-page-from-hurtmehard_net-with-injected-script-for-Rig-EK-landing-page.txt   (54,882 bytes)

 

BACKGROUND ON THE "GOOD MAN" CAMPAIGN:

• "Good Man" domains used as gates in this campaign all have a registrant email of: goodmandilaltain@gmail[.]com
• Hurtmehard[.]net is one of the "Good Man" domains.
• Background on this campaign was posted on 2017-03-10 on the Malware Breakdown site in an article titled "Finding A 'Good Man'" (Internet Archive link).

 

BACKGROUND ON LATENTBOT:

• Although post-infection traffic triggers alerts for the GrayBird Trojan on the EmergingThreats ruleset, more recent variants have been dubbed "Latentbot."
• FireEye published an analysis of Latentbot named "LATENTBOT: Trace Me If You Can."

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in a page from the "Good Man" domain.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• hurtmehard[.]net - "Good Man" gate
• 188.225.72[.]88 port 80 - end.chaggama[.]com - Rig EK
• 37.72.175[.]221 port 80 - 37.72.175[.]221 - Latentbot post-infection traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  9d56d491f0fca9a16daeb0ce5ef6ba96206fea93b5b12f42c442aa10a0d487ea
  File size:  16,428 bytes
  File description:  Rig EK flash exploit seen on 2017-04-25

PAYLOAD (LATENTBOT):

• SHA256 hash:  092fd4caf46ec36e07fdc9c8b156ce05cda0fb2abd7c49ba8dddfe8ac6cdbb67
  File size:  312,832 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[various alphanumeric characters].exe
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\mxcyvqu.exe

 

IMAGES

Shown above:  Latentbot malware made persistent on the infected Windows host.

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Some alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscription ruleset.

 

Click here to return to the main page.